CN106302502A

CN106302502A - A kind of secure access authentication method, user terminal and service end

Info

Publication number: CN106302502A
Application number: CN201610757520.6A
Authority: CN
Inventors: 郭铮铮
Original assignee: Beijing Dongshi Technology Co Ltd
Current assignee: Guo Zhengzheng
Priority date: 2016-04-03
Filing date: 2016-08-29
Publication date: 2017-01-04
Anticipated expiration: 2036-08-29
Also published as: CN106302502B; CN105743916A

Abstract

The present embodiments relate to a kind of secure access authentication method, user terminal and service end, this secure access authentication method, including: user terminal sets up equipment secure registration relation to equipment application relation service for checking credentials end transmission facility registration message；User terminal sends authorization request message to equipment application relation service for checking credentials end, sets up application and account and equipment secure registration relation；User terminal provides service end to send application log on request message to application；Application provides service end to send to user terminal and requires equipment application verification message；User terminal provides service end to send equipment application access credentials message to application；Application provides service end to process and sends equipment application access credentials message to equipment application relation service for checking credentials end；Equipment application relation service for checking credentials end is to equipment application access credentials information authentication, and provides service end to send application safety access registrar result to application；Application provides the log on request message of service end response user terminal.

Description

A kind of secure access authentication method, user terminal and service end

It is that " a kind of enhancing accesses safe information processing that the application is incorporated in the patent name submitted on 04 03rd, 2016 Method, system and equipment " No. 201610204634.8 Chinese patent application.Above-mentioned application is incorporated by reference at this.

Technical field

The present embodiments relate to field of information security technology, be specifically related to a kind of secure access authentication method, use Family terminal and service end.

Background technology

The attack threat that the private informations such as Internet user is susceptible to apply user identity, password are stolen, invader makes Accessing user privacy information on unauthorized third party device with the private information obtained, consume or transfer accounts etc. encroaches on behaviour Make.

There is new technology to strengthen safety when user logs at present, such as two-pass cipher verification technique, need to log in answer every time With, use the dynamic key that the token device of additional identifying code input or input peripheral produces when network or system, as Software token and RSA hardware token method, these approaches increases the cost being manually entered identifying code step or hardware management, The process of raising safety adds user and uses complexity；Need one not only to improve safety but also simplified or do not increase user to make By the technology of complexity.

A lot of application use the parameter of the mounting hardware of intelligent movable equipment to be used for identifying equipment, such as IMEI, calculate owner Obtained by the combination calculation of machine name, MAC Address, IMSI, computer hardware sequence number information or computer system preset parameter Information etc., but these information are prone to simulation, it is thus achieved that or leaked can not meet for equipment unique differentiate higher Demand for security, so cannot be used for certification to access the authority source authorized.A kind of effective voucher of dynamic authentication is needed to ensure Confidentiality and effectiveness.

Client certificate certification can solve user's uniqueness certification when logging in theory, but due to expensive solution Certainly managing cost under scheme and line, current interconnection architecture cannot be embodied as major part client device access the Internet provides this Security service, needs the technology of automatization that is a kind of cheap and that be easily managed to strengthen user and logs in, the checking of service.

It is currently used for hardware adaptor Key of checking and identification, the U-shield used such as bank, the SecurID of RSA company, Use portable hardware cell to store key, use offline mode distribution customer terminal key to ensure safety, use off-line and static person The mode that work is safeguarded loads service end key, and hardware sequence number or device id by storage key associate signature key and test Card key, this mode solves safety problem, also significantly limit versatility；It is attached that the most this method needs user to manage Add the cost of hardware, if especially secret key lifetime is limited to the phase, the most commercial hardware Key equipment, such as RSA SecurID only The method that can take to exchange new hardware for；Need one can produce online and update client key and service end key and from The technology of dynamic association and system.

Now phone number and mail are the commonly used identifying code of people and the transmission major way of authorization code, if awarded Power note code or the authorization message of other forms, Quick Response Code, mail is stolen, it is possible to authorize other equipment to access application account Family, needs a kind of technology to prevent authorization code or identifying code from authorizing illegality equipment or by setting of falsely using in the case of being falsely used Standby access user account and service, both needed a kind of authority checking code uniquely corresponding appointment application account with service to specifying user The mandate of end equipment or verification technique method.

The checking used in network at present, the safe practice method such as signature, be required for faced by, birthday attack, Brute Force Attack or the threat of the man-in-the-middle attack key to producing voucher, need one can improve or strengthen violence and crack attack, The threat of birthday attack, can detect the technology of man-in-the-middle attack threat thus improve safe class.

Along with mobile computing device is popularized rapidly, wearable device and Internet of Things development, possess setting of intelligence computation ability For expanding rapidly, need authentic equipment can steeply rise for the key demand of certification, it is desirable to provide the key of certification There is huge autgmentability, using the teaching of the invention it is possible to provide huge extending space is used for identification and the operating capability of the following various equipment of Internet of Things.

In existing method, still not having a kind of based on the shared code of many dynamic devices checking, code mixing is shared in dynamic key identification Individual secure unit is used for providing the access verification technique of equipment application and account access voucher to solve the problems referred to above.

Summary of the invention

Solve the technical problem that it is how to improve the safety that user accesses.

For defect of the prior art, the embodiment of the present invention provides one secure access authentication method, user eventually End and service end, can be effectively improved the safety that user accesses.

First aspect, embodiments provides a kind of secure access authentication method, including:

User terminal sends facility registration message to equipment application relation service for checking credentials end and sets up equipment secure registration relation；

Described user terminal sends authorization request message to described equipment application relation service for checking credentials end, and according to described Equipment secure registration relation sets up application and account and equipment secure registration relation；

Described user terminal provides service end to send application log on request message to application；

Described application provides service end to send to described user terminal and requires equipment application verification message；

Described user terminal provides service end to send equipment application access credentials message to described application；

Described application provides service end to process and sends the application of described equipment to described equipment application relation service for checking credentials end Access credentials message；

Described equipment application relation service for checking credentials end according to described application and account with equipment secure registration relation to described Equipment application access credentials information authentication, and provide service end to send application safety access registrar result to application；

Application provides service end according to the application log on request of described application safety access registrar result response user terminal Message.

Alternatively, described user terminal sends facility registration message to equipment application relation service for checking credentials end and sets up equipment peace Full registration relation includes；

Described user terminal and described equipment application relation service for checking credentials end consult the first shared code of dynamic device checking and Code is shared in second dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end；Described set Standby application relation service for checking credentials end is that the first dynamic device that described first dynamic device checking shared code division pairing is answered is verified altogether Enjoying code registration ID, code registration is shared in the second dynamic device checking answered for described second dynamic device checking shared code division pairing ID；

Described equipment application relation service for checking credentials end moves according to described the first of described equipment application relation service for checking credentials end Code is shared in state device authentication and the shared code of the second dynamic device checking generates the first dynamic key identification and shares code；

Described equipment application relation service for checking credentials end sends the described first dynamic device checking of band altogether to described user terminal The dynamic device enjoying code registration ID and the second dynamic device checking shared code registration ID shares code checking message；Wherein, dynamically set Standby code checking message of sharing includes: dynamic device shares code checking message sub-message body voucher, dynamic device is shared code checking and disappeared Breath signature；

Described user terminal is shared code and second according to the described first dynamic device checking of described user terminal and is dynamically set Standby checking is shared code checking dynamic device and is shared code checking message sub-message body voucher, uses described equipment application relation checking clothes Dynamic device described in business device public key verifications shares code checking information signature, generates facility registration voucher after being verified；

Described user terminal sends to described equipment application relation service for checking credentials end and carries described facility registration voucher, described Code registration ID and the facility registration message of the second dynamic device checking shared code registration ID are shared in first dynamic device checking；

Described equipment application relation service for checking credentials end is tested according to described first dynamic device in described facility registration message Card shares code registration ID and the checking of the second dynamic device share code registration ID corresponding at equipment application relation service for checking credentials end Code is shared in described first dynamic device checking, described second dynamic device checking is shared code and verified described facility registration message；

After described facility registration information authentication passes through, described equipment application relation service for checking credentials end is taken to user terminal feedback Carrying device accreditation verification result and described first dynamic key identification are shared the facility registration of code and are confirmed message.

Alternatively, described facility registration message includes: code registration is shared in facility registration voucher, the first dynamic device checking One or more in code registration ID are shared in ID, the second dynamic device checking.

Alternatively, described dynamic device share code checking message include:

Dynamic device is shared code and is verified that main message body and dynamic device share code checking information signature；

Described dynamic device is shared the code checking main message body of message and is included that dynamic device shares the code checking sub-message body of message Code checking message sub-message body voucher is shared with dynamic device；

Described sub-message body includes that code registration ID is shared in the first dynamic device checking and code is shared in the checking of the second dynamic device Registration ID and random number salt figure；

Described dynamic device share code checking message sub-message body voucher be described first dynamic device checking share code and Described second dynamic device checking shares what code produced；

It is that described equipment application relation authentication server uses private key that described dynamic device shares code checking information signature Dynamic device is shared what code checking message main message body signature obtained.

Alternatively, described user terminal sends authorization request message to described equipment application relation service for checking credentials end, and Set up application according to described equipment secure registration relation and account include with equipment secure registration relation:

The application authorization request message that described application provides service end to receive described user terminal processes, and sends to described Equipment application relation service for checking credentials end；

Described equipment application relation service for checking credentials end generates dynamic authorization code ciphertext according to described application authorization request message And send to described application offer service end；

Described application provides service end sequentially to send described dynamic authorization code ciphertext and stochastic generation to described user terminal Number；

The mandate that described user terminal generates band authorized certificate according to described dynamic authorization code and described stochastic generation number rings Answering information and sending to provide service end to described application, described authorization messages includes described stochastic generation number and dynamic authorization code Ciphertext；

The authorization response message that described application provides service end to receive described user terminal processes, and sends to described equipment Application relation service for checking credentials end；

According to described equipment secure registration relation, described equipment application relation service for checking credentials end verifies that described authorization response disappears After breath, then verify described dynamic authorization code ciphertext and provide service end to confirm knot to user terminal feedback application by described application Really.

Alternatively, described equipment application relation service for checking credentials end generates dynamic authorization according to described application authorization request message Code ciphertext includes:

Dynamic authorization code is generated according to described authorization request message；

Dynamic authorization key is generated according to described authorization request message；

Use dynamic authorization code encryption described in described dynamic authorization double secret key；

To include that described dynamic authorization code ciphertext and the first dynamic key identification share the authorization code message transmission of code to institute State application and service end is provided.

Alternatively, described equipment application relation service for checking credentials end verifies described mandate according to described equipment secure registration relation After response message, then verify authorization code ciphertext and provide service end to confirm result to user terminal feedback application by described application Including:

Whether the authorized certificate in use equipment secure registration relation checking message mates；Then equipment secure registration is used The authorization code secret key decryption authorization code ciphertext of relation service end, the authorization code after checking deciphering is verified with described equipment application relation Whether the authorization code of service end distribution mates；

If all pass through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and authorize the time and Device relationships is added in equipment list of application.

Alternatively, also include updating described equipment secure registration relation:

Described user terminal and described equipment application relation service for checking credentials end consult the 3rd shared code of dynamic device checking and Code is shared in 4th dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end；

Described equipment application relation service for checking credentials end moves according to the described 3rd of described equipment application relation service for checking credentials end the Code is shared in state device authentication and the shared code of the 4th dynamic device checking generates the second dynamic key identification and shares code；

Described equipment application relation service for checking credentials end sends to described user terminal and carries described second dynamic key identification altogether Enjoy code and the requirement renewal of the equipment message of code is shared in the first dynamic key identification；

Described user terminal shares code, the second dynamic device according to the described first dynamic device checking of described user terminal Code is shared in checking, code is shared in described first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking Share code and the second dynamic key identification is shared code and generated dynamic equipment upgrading message, and the extremely described equipment application relation that sends is tested Card service end；Described dynamic equipment upgrading message includes user terminal more new registration voucher, described first dynamic key identification altogether Enjoy code and code is shared in described second dynamic key identification；

Described equipment application relation service for checking credentials end dynamically sets according to the first of described equipment application relation service for checking credentials end Code is shared in standby checking, code is shared in the second dynamic device checking, code is shared in described first dynamic key identification, the 3rd dynamic device is tested Card shares code, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified that described dynamic equipment upgrading disappears Breath；

Described equipment application relation service for checking credentials end dynamically sets according to the 3rd of described equipment application relation service for checking credentials end the Code is shared in standby checking, the 4th dynamic device verifies that shared code, the second dynamic key identification share code, the first dynamic device checking altogether Enjoy code, code is shared in the second dynamic device checking and described first dynamic key identification is shared code and generated renewal of the equipment confirmation message；

Described equipment application relation service for checking credentials end updates accreditation verification result to user terminal feedback device.

Alternatively, described equipment application relation service for checking credentials end updates accreditation verification result bag to user terminal feedback device Include:

Described equipment application relation service for checking credentials end updates to user terminal feedback device and confirms message；

Described user terminal shares corresponding the 3rd dynamically the setting of code according to the second dynamic key identification of described user terminal Code is shared in standby checking and the shared yardage of the 4th dynamic device checking is calculated described renewal of the equipment and confirmed the main message body voucher of message, and The first shared code of dynamic device checking and second that the first dynamic key identification according to described user terminal shares code corresponding moves State device authentication is shared yardage and is calculated the sub-message body voucher of described renewal of the equipment confirmation message, main message body voucher calculating arrived Checking is compared with corresponding main message body voucher and the sub-message body voucher sent in message with sub-message body voucher；

As checking is all passed through, the 3rd dynamic device checking of described user terminal is shared code by the most described user terminal, the Code is shared in four dynamic device checkings and corresponding described second dynamic key identification is shared code and is set as the state of succeeding in registration；

Described user terminal preserves described second dynamic key identification and shares code；

Described user terminal sends to carry to described equipment application relation service for checking credentials end and uses the of described user terminal Codes are shared in three dynamic devices checkings and facility registration voucher that code produces and described second dynamic is shared in the checking of the 4th dynamic device The renewal of the equipment registration message of code is shared in key identification；

Described equipment application relation service for checking credentials end dynamically sets according to the 3rd of described equipment application relation service for checking credentials end the Code is shared in standby checking, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified described renewal of the equipment note Volume message；

Alternatively, described user terminal more new registration voucher include described dynamic equipment upgrading message main message body voucher and Described dynamic equipment upgrading message sub-message body voucher:

The described dynamic equipment upgrading message sub-message body described user terminal of voucher is according to described in described user terminal Code is shared in 3rd dynamic device checking and the shared code of the 4th dynamic device checking is calculated；

The described dynamic equipment upgrading message main message body described user terminal of voucher is according to described in described user terminal Code is shared in first dynamic device checking and the shared code of the second dynamic device checking is calculated.

Alternatively, described require that equipment application verification message carries Dialog processing ID.

Alternatively, described user terminal provides service end transmission equipment application access credentials message to include to described application:

Produce equipment application access credentials message body including described Dialog processing ID；Calculate and described Dialog processing ID pair The equipment application access credentials message body voucher answered；

Generate the equipment application including equipment application access credentials message body and equipment application access credentials message body voucher Access credentials message；

Transmission equipment application access credentials message provides server to application.

Alternatively, described equipment application relation service for checking credentials end is according to described application and account and equipment secure registration relation To described equipment application access credentials information authentication:

Use the first dynamic key identification to share code in application relation authentication server, search the first dynamic device checking Share code and code is shared in the checking of the second dynamic device；

Use first dynamic device checking share code and the second dynamic device checking share yardage calculate equipment application access with The message body voucher of card message；

Relatively calculate gained voucher the most consistent with the voucher sent in message；If result is consistent, check the most further Whether corresponding application and account have application and the mandate relation of account of request in message with equipment secure registration relation, from And obtain checking result.

On the other hand, the embodiment of the present invention also provides for a kind of secure access certification user terminal, including:

Facility registration unit, sets up equipment safety for sending facility registration message to equipment application relation service for checking credentials end Registration relation；

Application granted unit, is used for described equipment application relation service for checking credentials end transmission authorization request message, and according to Described equipment secure registration relation sets up application and account and equipment secure registration relation；

Log on request unit, for providing service end to send application log on request message to application；

Safety certification request unit, for providing service end to send out to described equipment application relation service for checking credentials end by application Equipment application verification is sent to ask message；Described equipment application access credentials message is that application provides service end to described log on request The requirement equipment application verification message that unit sends generates；

Login unit, for providing the response results that logs in of service end to respond log on request message, institute according to described application State log in response results be application provide service end according to described in the described equipment application relation service for checking credentials end application and account and Equipment secure registration relation is to generation after described equipment application access credentials information authentication.

Alternatively, facility registration unit, including:

Code negotiation element is shared in first dynamic device checking, for consulting to produce with described equipment application relation service for checking credentials end Code is shared in raw first dynamic device checking and code is shared in the checking of the second dynamic device, and is respectively stored in user terminal and described sets Standby application relation service for checking credentials end；

Facility registration request unit, for generating and sending Portable device note to described equipment application relation service for checking credentials end The facility registration message of volume voucher；Described facility registration message includes: code registration ID and second is shared in the first dynamic device checking Code registration ID is shared in dynamic device checking；

Code registration ID and described second dynamic device checking shared code registration ID is shared in described first dynamic device checking Described equipment application relation service for checking credentials end is that code is shared in described first dynamic device checking and the checking of the second dynamic device is shared The corresponding registration ID that code division is joined sends to described user terminal after generating；

Described facility registration message is that code is shared in the described first dynamic device checking being stored in user terminal described in basis Share code with the second dynamic device checking, and code registration ID is shared in described first dynamic device checking and the second dynamic device is tested Card shares what code registration ID generated；

Facility registration confirmation unit, for receiving the first dynamic key identification of described equipment application relation service for checking credentials end Sharing code and accreditation verification result verification and preserve, described accreditation verification result is described equipment application relation service for checking credentials end root Share code according to the first dynamic device checking of described equipment application relation service for checking credentials end, the second dynamic device checking shares code altogether Obtain after enjoying the code described facility registration message of checking；

It is that described equipment application relation service for checking credentials end should according to described equipment that code is shared in described first dynamic key identification Share code with the described first dynamic device checking of relation service for checking credentials end and the checking of the second dynamic device shares what code generated.

Alternatively, described facility registration message includes: code registration is shared in facility registration voucher, the first dynamic device checking Code registration ID is shared in ID, the second dynamic device checking.

Alternatively, described application granted unit, including；

Application authorization requests unit, is used for generating and providing service end to send by described application closing to the application of described equipment It is that service for checking credentials end sends authorization request message；

Application authorization response unit, is used for generating and providing service end to send by described application closing to the application of described equipment It is that service for checking credentials end sends authorization response message；Described authorization response message is according to dynamic authorization code ciphertext and stochastic generation number Generate, described authorization response message band authorized certificate；Described dynamic authorization code ciphertext is described equipment application relation checking clothes Business end provides service end to send by described application after generating according to described application authorization request message, described stochastic generation number It is that described application provides service end to send after described user terminal sends described dynamic authorization code；

Application license confirmation unit, for receiving the application license confirmation result of described equipment application relation service for checking credentials end Verifying and preserve, described license confirmation result is that described equipment application relation service for checking credentials end is tested according to described equipment application relation Code is shared in first dynamic device checking of card service end, code is shared in the second dynamic device checking and the first dynamic key identification is shared After code verifies described authorization response message, then verify what authorization code ciphertext obtained.

Alternatively, described log on request unit, also include apply access credentials unit for produce equipment application access with Card message body；Calculating equipment application access credentials message body voucher；Generation includes equipment application access credentials message body and equipment The equipment application access credentials message of application access credentials message body voucher；There is provided server to send equipment application to application to access Credential message.

Alternatively, also include, facility registration updating block, including:

Code negotiation element is shared in second dynamic device checking, for consulting to produce with described equipment application relation service for checking credentials end Code is shared in raw 3rd dynamic device checking and code is shared in the checking of the 4th dynamic device, and is respectively stored in user terminal and described sets Standby application relation service for checking credentials end；

Renewal of the equipment registration request unit, sets for generating and sending to carry to described equipment application relation service for checking credentials end The standby dynamic equipment upgrading message updating voucher；Described dynamic equipment upgrading message is to be stored in the root of user terminal described in basis According to described user terminal described first dynamic device checking share code, second dynamic device checking share code, described first move Code is shared in state key identification, code is shared in the 3rd dynamic device checking, code and the second dynamic key are shared in the 4th dynamic device checking Identifying and share what code generated, it is that described equipment application relation service for checking credentials end is according to institute that code is shared in described second dynamic key identification Code and the shared code of the 4th dynamic device checking are shared in the described 3rd dynamic device checking stating equipment application relation service for checking credentials end Send to described user terminal after generation；

Renewal of the equipment accreditation verification unit, for receiving the accreditation verification result of described equipment application relation service for checking credentials end Verifying and preserve, described renewal accreditation verification result is that described equipment application relation service for checking credentials end closes according to the application of described equipment It is the first shared code of dynamic device checking of service for checking credentials end, the second dynamic device checking shared code, described first dynamic key Identify that shared code, the second dynamic device checking share code, code is shared in the 3rd dynamic device checking and the 4th dynamic key identification is total to Obtain after enjoying the code described dynamic equipment upgrading message of checking.

Alternatively, described user terminal more new registration voucher includes that dynamic equipment upgrading message main message body voucher is with dynamic Renewal of the equipment message sub-message body voucher:

User terminal described in described dynamic equipment upgrading message main message body voucher is according to described the of described user terminal Code is shared in one dynamic device checking and the shared code of the second dynamic device checking is calculated.

On the other hand, the embodiment of the present invention also includes a kind of equipment application relation service for checking credentials end, it is characterised in that bag Include:

Facility registration confirmation unit, the facility registration message sent for accepting user terminal sets up equipment secure registration pass System；

Application license confirmation unit, for receiving the authorization request message that user terminal sends, and pacifies according to described equipment Full registration relation sets up application and account and equipment secure registration relation；

Safety certification request confirmation unit, for receiving the equipment application access credentials providing service end to send by application Message；Described equipment application access credentials message is the requirement equipment that application provides that service end sends to described log on request unit Application verification message generates；

Log in response unit, for the application of described equipment being visited with equipment secure registration relation according to described application and account Generate application safety access registrar result after asking credential message checking and log in response results by applying offer service end to send, Described user terminal provides the response results that logs in of service end to respond log on request message according to described application.

Alternatively, described facility registration confirmation unit includes:

Code negotiation element is shared in first dynamic device checking, consults the first dynamic device for producing with described user terminal Code is shared in checking and code is shared in the checking of the second dynamic device, and is respectively stored in user terminal and the checking of described equipment application relation Service end；Described first answered for the described first shared code of dynamic device checking and the second dynamic device checking shared code division pairing Code registration ID is shared in dynamic device checking and code registration ID is shared in the checking of the second dynamic device；

Code signal generating unit is shared in first dynamic key identification, for the institute according to described equipment application relation service for checking credentials end State the first dynamic device checking share code and the second dynamic device checking shared code generation and send first to described user terminal Code is shared in dynamic key identification；

Facility registration confirmation unit, the facility registration message sent for receiving described user terminal should according to described equipment Code, the second shared code of dynamic device checking and the first dynamic key is shared with the first dynamic device checking of relation service for checking credentials end After identifying that sharing code verifies described facility registration message, and send facility registration confirmation result to described user terminal；Described set Standby registration message is that code and the second dynamic device are shared in the described first dynamic device checking being stored in user terminal described in basis Code is shared in checking and code registration ID is shared in described first dynamic device checking and code registration ID is shared in the checking of the second dynamic device Generate, described facility registration message Portable device registration voucher and described first dynamic device checking share code registration ID and Code registration ID is shared in second dynamic device checking.

Alternatively, application license confirmation unit includes；

Application authorization requests processing unit, for receiving the authorization request message of user terminal transmission and according to described application Authorization request message generates dynamic authorization code ciphertext provides service end to send to described user terminal by described application；

Application authorization response processing unit, receives the authorization response message that user terminal sends, and should according to described equipment Code, the second shared code of dynamic device checking and the first dynamic key is shared with the first dynamic device checking of relation service for checking credentials end Identify that sharing code verifies after described authorization response message, then after verifying dynamic authorization code ciphertext, generate authorization notification message and also lead to Crossing application provides service end to send to described user terminal；Described authorization response message be described user terminal according to described dynamically Authorization code ciphertext and stochastic generation number generate, and described authorization response message band authorized certificate, described stochastic generation number is described Application provides service end to send after described user terminal sends dynamic authorization code ciphertext.

Alternatively, described equipment application relation service for checking credentials end generates dynamic authorization according to described application authorization request message Code includes:

Service end is provided to described application by described dynamic authorization code ciphertext transmission.

Alternatively, described generation authorization notification message includes:

Whether the authorized certificate in use equipment secure registration relation checking message mates；Then equipment secure registration is used The authorization code ciphertext of the authorization code secret key decryption that relation is corresponding, the authorization code after checking deciphering is verified with described equipment application relation Whether the authorization code of service end distribution mates；

If all pass through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and authorize the time with Device relationships is added in equipment list of application.

Alternatively, described in log in response unit and also include, log on request authentication unit is used for,

The most consistent with the voucher sent in message for comparing calculating gained voucher；

If result is consistent, then checks whether corresponding application and account have with equipment secure registration relation further and disappear The application asked in breath and the mandate relation of account, thus obtain checking result.

Alternatively, also include, facility registration renewal confirmation unit:

Code negotiation element is shared in second dynamic device checking, for testing with described user terminal negotiation the 3rd dynamic device that sets Card shares code and code is shared in the checking of the 4th dynamic device, and is respectively stored in user terminal and described equipment application relation checking clothes Business end；

Code signal generating unit is shared in second dynamic key identification, for the institute according to described equipment application relation service for checking credentials end State the 3rd dynamic device checking share code and the 4th dynamic device checking shared code generation and send second to described user terminal Code is shared in dynamic key identification.

Renewal of the equipment registration request confirmation unit, for receiving the dynamic equipment upgrading message that user terminal sends, and root According to described equipment application relation service for checking credentials end first dynamic device checking share code, second dynamic device checking share code, Code is shared in described first dynamic key identification, code is shared in the 3rd dynamic device checking, code and the is shared in the 4th dynamic device checking Two dynamic key identifications are shared and are obtained updating registration confirmation message after code verifies described dynamic equipment upgrading message, and to described use Family terminal sends；Described dynamic equipment upgrading message is to be stored in the institute according to described user terminal of user terminal described in basis State the first dynamic device checking share code, the second dynamic device checking share code, described first dynamic key identification share code, the Code is shared in three dynamic device checkings, code is shared in the 4th dynamic device checking and the second dynamic key identification shares what code generated；Dynamic State renewal of the equipment message Portable device more new registration voucher.

Alternatively, terminal more new registration voucher in described family includes dynamic equipment upgrading message main message body voucher and dynamically sets Standby more new information message body voucher:

As shown from the above technical solution, the embodiment of the present invention provide secure access authentication method, user terminal and Service end can be effectively ensured the application of user terminal by the way of the double authentication of device authentication and application and account authorization Access the Information Security of application service end, the professional application network pipe of enterprise, mechanism can be helped by the embodiment of the present invention The border that application of having got a haircut accesses, and equipment.User can by the way of above-mentioned authorisation device and application and accounts.This Inventive embodiments is suitable for Self-Service pattern, is suitable for changeable, public user demand flexibly.Corporate intranet can use automatization Affiliated enterprise takes the mode of operation department orally and configures application and device relationships automatically, thus saves the self-service mandate of each employee Process, thus realize enterprise IT access end equipment border control.Method described in the embodiment of the present invention is passed through by application account Authorizing and access authentication mechanism on the computer intelligence equipment accessed, after password is stolen, third party device is owing to being not authorized to And can not access, system and account-holder are owing to can reveal and remedy security breaches in time by very first time perception password.

Accompanying drawing explanation

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing In having technology to describe, the required accompanying drawing work one used simply is introduced, it should be apparent that, the accompanying drawing in describing below is this Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to root Other accompanying drawing is obtained according to these accompanying drawings.

Fig. 1 is secure access authentication method schematic flow sheet in one embodiment of the invention；

Fig. 2 provides service end and the equipment application relation service for checking credentials for user terminal, application in one embodiment of the invention End linking relationship schematic diagram；

Fig. 3 is that in one embodiment of the invention, user terminal structure is intended to；

Fig. 4 is to set up equipment secure registration relation schematic flow sheet in one embodiment of the invention；

Fig. 5 is to set up equipment secure registration relation schematic flow sheet in another embodiment of the present invention；

Fig. 6 is to set up application and account and equipment secure registration relation schematic flow sheet in one embodiment of the invention；

Fig. 7 is to set up application and account and equipment secure registration relation schematic flow sheet in another embodiment of the present invention；

Fig. 8 is that in one embodiment of the invention, user terminal logs in safety verification flow process schematic diagram；

Fig. 9 is that in another embodiment of the present invention, user terminal logs in safety verification flow process schematic diagram；

Figure 10 is more new equipment secure registration relation schematic flow sheet in one embodiment of the invention；

Figure 11 is more new equipment secure registration relation schematic flow sheet in another embodiment of the present invention；

Figure 12 is that in one embodiment of the invention, user terminal produces message voucher schematic flow sheet；

Figure 13 is user terminal structural representation in one embodiment of the invention；

Figure 14 is the facility registration cellular construction schematic diagram of user terminal in one embodiment of the invention；

Figure 15 is the application granted unit structural representation of user terminal in one embodiment of the invention；

Figure 16 is the facility registration updating block structural representation of user terminal in one embodiment of the invention；

Figure 17 is equipment application relation service for checking credentials end structure schematic diagram in one embodiment of the invention；

Figure 18 is the facility registration confirmation unit structure of equipment application relation service for checking credentials end in one embodiment of the invention Schematic diagram；

Figure 19 is the application license confirmation cellular construction of equipment application relation service for checking credentials end in one embodiment of the invention Schematic diagram；

Figure 20 is that the facility registration of equipment application relation service for checking credentials end in one embodiment of the invention updates confirmation unit Structural representation.

Detailed description of the invention

For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is The a part of embodiment of the present invention rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under not making creative work premise, broadly falls into the scope of protection of the invention.

As it is shown in figure 1, the embodiment of the present invention provides one secure access authentication method, including: user terminal is to setting Standby application relation service for checking credentials end sends facility registration message and sets up equipment secure registration relation；User terminal is applied to equipment Relation service for checking credentials end sends authorization request message, and sets up application and account and equipment safety according to equipment secure registration relation Registration relation；User terminal provides service end to send application log on request message to application；Application provides service end to user eventually End transmission requires equipment application verification message；User terminal provides service end to send equipment application access credentials message to application； Application provides service end to process and sends equipment application access credentials message to equipment application relation service for checking credentials end；Equipment is applied Relation service for checking credentials end provides service end to send equipment according to the result after checking equipment application access credentials message and to application Application verification results messages；Application provides service end to tie according to the application safety access registrar in equipment application verification results messages Fruit responds the application log on request message of user terminal.Below to the secure access authentication processing side provided by the embodiment of the present invention Method launches detailed description.

As in figure 2 it is shown, the secure access authentication method that the embodiment of the present invention provides is mainly used in by network even In the internet system of the user terminal, application offer service end and the equipment application relation service for checking credentials end that connect.User terminal is Need to provide with application service end to set up safety applications when being connected, safety certification each that needs the most through safety certification accord with Plant communication equipment, such as mobile phone, PAD, PC, possess the various smart machines etc. of networked capabilities.The equipment application relation service for checking credentials End is the service equipment of the equipment application relation client on managing user terminal, and equipment application relation service for checking credentials end is sentenced Whether disconnected equipment application access credentials message controls oneself mandate for the account access of applications client application or service access Equipment and provide corresponding behavior to be indicated to application service end to be provided, such as, there is the server of safety certification function To realize the embodiment of the present invention.Application provides service end to refer to the various various servers providing expection service for user terminal； Application provides service end its user equipment access relation credential verification result utilizing equipment application relation service for checking credentials end to provide Determine can finally be provided to the service response of terminal use.The such as management of mail server, code security server, archive information Management server, message management server etc..

As it is shown on figure 3, user terminal can include applications client, equipment application relation client and individual secure list Unit.Applications client refers to initiate various local programs and the application of the application service request that user specifies, and it is responsible for transferring this Is produced from ground equipment application relation client end AP I (application programming interface, Application Programming Interface) Raw user equipment access relation voucher also embeds, this service, the service that obtains in the flow process applied.Wherein equipment application relation client End refers to operate in applies offer initiating equipment access credentials service, the safe encryption and decryption of local information for user on ustomer premises access equipment Service, checking and the general name of all software assemblys of signature function, it provides the UI with user exchange simultaneously, is responsible for directly with only Vertical safe unit collaborative work, with equipment application relation service for checking credentials end session, assists or directly produces key, updating.Equipment Application relation client is to provide the function of safety certification or access credentials service and encrypting and decrypting service in fact to applications client Body；Individual secure unit refers to the unit that can provide following any one or more ability that user terminal and system include, Including providing credible and secure calculating, safety storage, the computer untrusted location of safe UI service, embedded system, built-in security Hardware cell and system or firmware unit.Individual secure unit only provides clothes listed above to equipment application relation client Business, in practicality, partial function can realize in equipment application relation client.

As shown in Figure 4, in embodiments of the present invention, user terminal needs to be verified by equipment application relation service for checking credentials end Time, need first to submit to equipment secure registration to make user terminal verify with equipment application relation to equipment application relation service for checking credentials end Equipment secure registration relation is set up between service end.Specifically, user terminal sends to equipment application relation service for checking credentials end and sets Standby registration message is set up equipment secure registration relation and is included: user terminal and equipment application relation service for checking credentials end are consulted first and moved Code is shared in state device authentication and code is shared in the checking of the second dynamic device, is respectively stored in user terminal and the checking of equipment application relation Service end；Equipment application relation service for checking credentials end is that the first dynamic device that the first dynamic device checking shared code division pairing is answered is tested Card shares code registration ID, is that code registration is shared in the second dynamic device checking that the second dynamic device checking shared code division pairing is answered ID；Equipment application relation service for checking credentials end according to equipment application relation service for checking credentials end first dynamic device checking share code and The second shared code of dynamic device checking generates the first dynamic key identification and shares code；Described equipment application relation service for checking credentials end to Described user terminal sends the described first dynamic device checking shared code registration ID of band and code note is shared in the checking of the second dynamic device The dynamic device of volume ID shares code checking message；Wherein, dynamic device share code checking message include: dynamic device is shared code and is tested Card message sub-message body voucher, dynamic device share code checking information signature；User terminal is dynamic according to the first of user terminal Code is shared in device authentication and the checking of the second dynamic device is shared code checking dynamic device and shared code checking message sub-message body voucher, Use equipment application relation authentication server public key verifications dynamic device shares code checking information signature, generates and set after being verified Remarks volume voucher；User terminal sends Portable device registration voucher and the first dynamic device to equipment application relation service for checking credentials end Code registration ID and the facility registration message of the second dynamic device checking shared code registration ID are shared in checking；Equipment application relation is verified Service end shares code registration ID according to the first dynamic device checking in facility registration message and the checking of the second dynamic device is shared Code is shared in the first dynamic device checking at application relation service for checking credentials end corresponding for code registration ID, above-mentioned second dynamic device is tested Card shares code verification device registers message；After facility registration information authentication passes through, equipment application relation service for checking credentials end is to user Terminal feedback Portable device accreditation verification result and the first dynamic key identification are shared the facility registration of code and are confirmed message.

When being embodied as, as Fig. 5 is equipment application relation client registers flow chart in the embodiment of the present invention.At this In bright embodiment, user terminal is when equipment application relation service for checking credentials end is registered, and user terminal needs first and equipment application relation Service for checking credentials end sets up session connection.Specifically, equipment application relation client is set up with equipment application relation service for checking credentials end Session or encryption session connection in plain text；Equipment application relation client is uncommon by preset public key cryptography checking session the other side The equipment application relation service for checking credentials end hoped.

As it is shown in figure 5, user terminal and equipment application relation service for checking credentials end consult the first dynamic device checking shares code Share code with the second dynamic device checking, be respectively stored in user terminal and equipment application relation service for checking credentials end.

Specifically, step S21 produces the first shared code of dynamic device checking and is respectively stored in user terminal and equipment application Relation service for checking credentials end；In step S21, the first dynamic device checking is shared code and can be used ECDH algorithm, Diffie-Hel Lman Diffie-Hellman or RSA key reliable delivery.Preferably use ECDH algorithm can obtain higher calculating to imitate Rate, key length shorter under equal level of security.

Step S21 needs to combine in equipment application relation client and individual secure unit to calculate and preserve key seed letter Breath, then produces final key based on this seed information and shares code as the first dynamic device checking.

Mode one: the open parameter of computation key is passed to independent peace by step S22 by equipment application relation client Full unit, calculates seed information and final key based on this seed information, this side of key in individual secure unit Method ensure that the higher level safety of seed information and key.

Mode two: step S21 is run program by equipment application relation client and calculated seed information, and generates final close Key, the i.e. first dynamic device checking is shared code, is shared code by step S22 based on the dynamic device checking that seed information obtains and note Volume is to individual secure unit；Mode two safety is slightly less than mode one, but it is relatively low to realize difficulty.

Preferably, seed information and key when being embodied as, the i.e. first dynamic device checking shares code at individual secure list Unit calculates and produces.During enforcement, step S23 equipment application relation service for checking credentials end distributes the first dynamic device checking and shares code note It is corresponding that code is shared in volume ID and the first dynamic device checking；In inventive embodiments, code registration ID use is shared in the first dynamic device checking In labelling subscriber terminal equipment registration process, code is shared in the checking of labelling the first dynamic device.As it is shown in figure 5, similarly, with step Rapid S21 is similar to step S22, and step S24 to step S25 produces the second shared code of dynamic device checking and is respectively stored in user eventually End and equipment application relation service for checking credentials end.Step S26 equipment application relation service for checking credentials end distributes the second dynamic device simultaneously Code registration ID is shared in checking.Code registration ID and the second dynamic device are shared in first dynamic device checking of step S23 and S26 distribution Checking is shared code registration ID and is had dual function, shares illustrating as a example by code registration ID below by the first dynamic device checking: a side Face, the first dynamic device checking is shared code registration ID labelling and registered specifically is unique, if verifying do not have in checking flow process Pass through, then current registration code just lost efficacy, thus prevented Replay Attack；If on the other hand communication disruption during registration, The first dynamic device checking shared code registration ID can be continuing with in newly-established link and complete flow process as shown in Figure 5, protect Hinder the integrity of communication process thus adapt to changeable complex network environment.

As it is shown in figure 5, equipment application relation service for checking credentials end is dynamic according to the first of equipment application relation service for checking credentials end Code is shared in device authentication and the shared code of the second dynamic device checking generates the first dynamic key identification and shares code.Specifically, step When code is shared in S27 calculating dynamic key identification, use the first dynamic device checking to share code and the checking of the second dynamic device is shared Code encryption produces, and AES includes but not limited to it can is AES256, AES192, preferably use AES256 or use and its The algorithm of the national authentication of level of security equivalent and key strength；Safe key length and algorithm are continuous along with computer science Evolution, the embodiment of the present invention is followed safety verification rank and is used rule and the algorithm of national authentication of industry evolution.Specifically, Use the first dynamic device checking to share the key identification id that distributed by equipment application relation service for checking credentials end of code encryption and obtain the One ciphertext, uses the second dynamic device checking to share code encryption the first ciphertext gained information and shares as the first dynamic key identification Code；And this key identification id, the first dynamic key identification are shared code, code is shared in the first dynamic device checking and second dynamic Code binding corresponding relation is shared in device authentication.In the case of key identification id is constant, the first dynamic key identification share code with The first dynamic device checking to share code and the conversion of the shared code of the second dynamic device checking and change.Individual secure unit is noted Code is shared in first dynamic device checking of volume and the checking of the second dynamic device is shared code and can only be made by equipment application relation client With；Other programs being not allowed to are to use the key in individual secure unit to calculate, encrypt, verify.

Test as it is shown in figure 5, step S28 equipment application relation service for checking credentials end sends band the first dynamic device to user terminal Card is shared the dynamic device of code registration code ID and the shared code registration code ID of the second dynamic device checking and is shared code checking message.Specifically Ground, the first dynamic device checking shared code registration ID, the second dynamic device checking are shared by equipment application relation authentication server Code registration ID, random number salt figure composition dynamic device shares the code checking sub-message body of message；Use the first dynamic device checking altogether Enjoy code and the checking of the second dynamic device share code be key be dynamic device share the code checking sub-message body of message calculate produce dynamic State collaborative share code checking message sub-message body voucher；Dynamic device is shared the code checking sub-message body of message and dynamic device is total to Enjoy code checking message sub-message body voucher composition dynamic device and share the code checking main message body of message；Equipment application relation checking clothes Business device uses private key that dynamic device is shared code checking message main message body signature, and acquired results is signature Sig；Equipment application is closed It is that dynamic device is shared the code checking main message body of message by authentication server and dynamic device shares code checking information signature Sig group The dynamic device become is shared code checking message and is sent to equipment application relation client.

In enforcement, it is cipher key calculation using the first shared code of dynamic device checking and the checking of the second dynamic device to share code Can use the method calculating message authentication code during voucher, algorithm includes but not limited to use one-way hash function to realize HMAC, or use message authentication code etc. method or the algorithm that the block cipher of DES, AES etc realizes.Preferably use unidirectional The HMAC that hash function realizes calculates message authentication code, and it is at commercial computing platforms, and especially intelligent movable platform is compatible Relatively strong, HMAC level of security is unanimously approved in commercial network, it is easy to marketing.

The equipment application relation client of user terminal uses equipment application relation authentication server public key verifications signature Sig；As being verified, then enter step, otherwise discard processing.Concrete proof procedure is as follows: equipment application relation client End extracts dynamic device and shares the code checking sub-message body of message；Call individual secure unit interface and calculate sub-message body voucher；Solely Vertical safe unit uses the first dynamic device checking being stored in user terminal to share code and code is shared in the checking of the second dynamic device Calculate dynamic device and share code checking message sub-message body voucher；Individual secure unit returns result to equipment application relation visitor Family end；The dynamic device that equipment application relation client compares result of calculation and message includes shares the code checking sub-message of message Body voucher；If consistent, continue follow-up equipment register flow path, otherwise reply error message to the equipment application relation service for checking credentials Device.

After being verified, the authentication method of the message voucher of subsequent communications is based on following two mode:

Method one: share code based on the first dynamic device checking and the checking of the second dynamic device is shared yardage and calculated message authentication The method of code voucher realizes；Use during enforcement first dynamic device checking share code be key be calculate calculation and object message authentication Code MAC value, re-uses second shared this MAC value of code encryption of dynamic device checking and obtains the corresponding MAC value ciphertext calculating object, will This MAC value ciphertext is as message body voucher or sub-message body voucher.Method two: increase equipment application on the basis of mode one The signature of relation service for checking credentials end private key, message body during enforcement, method one produced and message body voucher zoarium Information Signature. Using method one can save the step of computing and signature verification.

Dynamically set as it is shown in figure 5, user terminal shares code and second according to the first dynamic device checking at user terminal Standby checking is shared code and is generated facility registration voucher.Specifically, in step S29, equipment application relation client sends calculating equipment note Volume message body authentication code ciphertext is asked in individual secure unit；Step S210, individual secure unit uses preserve first to move Code is shared in state device authentication and the checking of the second dynamic device is shared yardage and calculated facility registration message body voucher；Step S211 returns and disappears Breath body voucher, returns using this to result as facility registration voucher.Step S29, S210, S211 preferably computing place is independent peace Full unit.

Equipment application relation client produces facility registration message, uses the client-side information that user allows, such as time Stamp computer equipment model or brand etc. are not limited to this one or more information, and code registration is shared in the first dynamic device checking Code registration ID, random number salt figure synthetically produced message body C are shared in ID, the second dynamic device checking.The first dynamic device is used to test Card shares code and the checking of the second dynamic device is shared yardage and calculated the voucher of message body C.

Part plaintext in use equipment application relation authentication server encrypted public key encrypted message body, such as random number salt figure Obtain random number salt figure ciphertext.This ciphertext is replaced the corresponding plaintext in message C, forms final message body C1, by message body The voucher component devices registration message of C1 and message body C.Equipment application relation client sends facility registration message should to equipment Use relation authentication server.

Use the second dynamic device checking to share after code, even if hacker captures this message, substantially increase Brute Force the Code and the threshold of the shared code of the second dynamic device checking are shared in one dynamic device checking；All of follow-up mutual in all employ This method improves safe class.As it is shown in figure 5, user terminal message body voucher that S211 is returned as facility registration with Card, user terminal sends the facility registration message of Portable device registration voucher to equipment application relation service for checking credentials end.Specifically, Step S212 facility registration message, it is preferred that provide the client-side information of user's license to be used for describing registration equipment, such as, register Time, device type and description, position etc..

As it is shown in figure 5, equipment application relation service for checking credentials end according to first dynamic device checking share code registration code ID and The first dynamic device that second dynamic device checking shares code registration code ID lookup equipment application relation service for checking credentials end corresponding is tested Card shares code, code verification device registers message is shared in the second dynamic device checking.Specifically, step S213 sends and includes that first moves State key identification is shared the facility registration of code and is confirmed message, to subscriber terminal equipment application relation client.Specifically, equipment should Code registration ID is shared in the equipment application relation service for checking credentials according to the first dynamic device checking in message with relation authentication server Code is shared in the first dynamic device checking searching correspondence in device, uses the second dynamic device checking to share code registration ID and searches correspondence Second dynamic device checking share code.Equipment application relation authentication server uses decrypted private key to decipher the message body C1 received In ciphertext, reduction message body in plain text；Use the first dynamic device checking to share code and code is shared in the checking of the second dynamic device Calculating the voucher of message body C, the voucher that checking calculates is the most consistent with the voucher of the message body C sent in message；As result is led to Crossing, be then judged as facility registration success, the first dynamic device checking is shared code and second by equipment application relation authentication server Dynamic device checking shares code labeling for succeeding in registration.

Facility registration confirms that message includes that facility registration confirms that the message body of message and facility registration confirm message body voucher； Wherein facility registration confirms that the message body of message at least includes that code registration ID, the second dynamic device are shared in the first dynamic device checking Code, random number are shared in checking shared code registration ID, registering result, the first dynamic key identification.Use the first dynamic device checking Share code and the shared code of the second dynamic device checking is that cipher key calculation facility registration confirms message body voucher.Equipment application relation is tested Facility registration is confirmed message by card server, is sent to equipment application relation client.

Beneficial effect, dynamic device is shared code checking message and is judged that message is from believable equipment by main message body signature Application relation authentication server, is used for producing by sub-message body credential verification down direction equipment application relation authentication server Code is shared in first dynamic device checking of voucher and the right of code and equipment application relation client is shared in the checking of the second dynamic device It is consistent for answering key；Facility registration message uses random number salt figure by server public key cryptography encrypted transmission, only has private The server of key just can calculate the voucher of correct clear-text message body, it is ensured that the concordance of up direction, thus detecting and Prevent and producing go-between possible during code and the shared code of the second dynamic device checking are shared in the first dynamic device checking Attack and integrity violations.

As it is shown in figure 5, equipment application relation service for checking credentials end is to user terminal feedback device accreditation verification result.Specifically Ground, the first dynamic key identification being verified is shared code and is saved in the safety storage that individual secure unit provides by step S214 District；Confirm that code is shared in the first dynamic device checking and the checking of the second dynamic device is shared code and succeeded in registration simultaneously；It can be application Client provides service state.

Equipment application relation client uses the first dynamic device checking to share code and code is shared in the checking of the second dynamic device Checking message body voucher；As being verified, equipment application relation client requirements individual secure unit preserves dynamic key identification Share code, then facility registration success flow process complete；Otherwise report mistake also terminates flow process.

As shown in Figure 6, in embodiments of the present invention, the application of user terminal and account and equipment application relation client are set up Hold the application between equipment application relation service for checking credentials end and account and equipment secure registration relation, in the application of user terminal When client is logged in by the checking of equipment application relation service for checking credentials end, provide to equipment application relation service for checking credentials end further Application and account and equipment secure registration relation certification.Specifically, the applications client in user terminal is to equipment application relation Service for checking credentials end sends authorization request message, and sets up application and account and equipment secure registration according to equipment secure registration relation Relation includes: the authorization request message that application provides service end to receive user terminal processes, and sends to equipment application relation and test Card service end；Equipment application relation service for checking credentials end generates dynamic authorization code ciphertext according to authorization request message and sends to application Service end is provided；Application provides service end sequentially to send dynamic authorization code ciphertext and stochastic generation number to user terminal；User is eventually Hold and generate the authorization response message of band authorized certificate according to dynamic authorization code ciphertext and stochastic generation number and send to applying offer Service end, authorization response message includes dynamic authorization code ciphertext and stochastic generation number；Application provides service end to receive user eventually The authorization response message of end processes, and sends to equipment application relation service for checking credentials end；Equipment application relation service for checking credentials end root After equipment secure registration relation checking authorization response message, then verify dynamic authorization code ciphertext and provide service end by application Result is confirmed to user terminal feedback application.

When being embodied as, if Fig. 7 is to set up application and account and equipment secure registration relationship registration in the embodiment of the present invention Flow chart；User terminal initiates application and account and equipment peace to equipment application relation service for checking credentials end in embodiments of the present invention During full registration relationship registration, user terminal and application provide server device application relation service for checking credentials end to set up session connection. Mail and account and equipment secure registration relationship registration is initiated to equipment application relation service for checking credentials end below with user terminal To making to set up between user terminal and the equipment application relation service for checking credentials end application and account and equipment secure registration as a example by flow process Illustrating of relation.

As it is shown in fig. 7, the application authorization request message that application provides service end to receive user terminal processes, and send to setting Standby application relation service for checking credentials end.Specifically, applications client is e-mail applications client, and application provides service end to be electricity Sub-mail applications provides server.E-mail applications client is mutual with equipment application relation client.Step S31 is to step S32 is applied authorization request message body voucher with the application authorization request message body submitted to for calculating calculation and object, and equipment should The message body voucher computational methods completing request with relation client references step S29 in Figure 5, S210 and S211 calculate application Authorization request message body voucher also returns to equipment application relation client, and equipment application relation client will apply authorization requests Message body voucher returns to e-mail applications client by S32, and this is applied authorization requests by e-mail applications client Message body voucher is included in S33 authorization request message and sends.When being embodied as, step S33 and S35 authorization request message are believed Breath includes but not limited to apply ID, ID, the first dynamic key identification to share code, apply the time limit authorized, application to supplement Authorization message.As write, log in action, etc..Wherein, code is shared in the first dynamic key identification is by equipment application relation client End API inquiry obtains.When being embodied as, S34 step can be determined information and the option of inspection by application.

Applications client obtains dynamic key identification by the API that equipment application relation client provides and shares code, application Client will include but not limited to Apply Names or numbering, application ID, authorized content, service provider information, it is desirable to The authorization code mode of intelligence transmission, code composition authorization request message body is shared in the first dynamic key identification；Wherein authorization code information passes The mode of passing includes but not limited to by radio communication, limited fixed network communication, note, Quick Response Code, Email etc..Application Client call equipment application relation client end AP I calculates the voucher of authorization request message body；Applications client uses to authorize and asks Ask message body and authorization request message body voucher component devices application authorization request message, send authorization request message and carry to application For server.

Application provides server to do mandate conjunction rule and checks, as passed through, then requires that equipment application relation authentication server is verified Authorize, forward authorization request message to equipment application relation authentication server.

As it is shown in fig. 7, equipment application relation service for checking credentials end generates according to application authorization request message carries dynamic authorization The authorization code information and sending of code ciphertext provides service end to application.Equipment application relation service for checking credentials end authorizes according to application please Ask message to generate dynamic authorization code to include: generate dynamic authorization code according to authorization request message；Wrap according in authorization request message The authorization code mode of intelligence transmission included generates the authorization code key of corresponding types；To dynamic authorization code encryption；By dynamic authorization code Ciphertext and the first dynamic key identification are shared the authorization code message of code composition and are sent to application offer service end.

Specifically, equipment application relation service for checking credentials end generates dynamic authorization code ciphertext bag according to application authorization request message Include: generate dynamic authorization code according to authorization request message；Dynamic authorization key is generated according to authorization request message；Use and dynamically award Power double secret key dynamic authorization code encryption；To include that dynamic authorization code ciphertext and the first dynamic key identification are shared the authorization code of code and disappeared Breath sends to application offer service end.Equipment application relation authentication server is according to the dynamic key identification in authorization request message Share code, confirm that the equipment sending this authorization request message is the equipment succeeded in registration, and verify in equipment application relation Code and the shared code of the second dynamic device checking are shared in the first dynamic device checking searching correspondence in server；Use first dynamic Device authentication is shared code and uses the second dynamic device checking to share code checking authorization request message body voucher；Such as the mandate calculated The message body voucher that request message body voucher includes with authorization request message is equal, authorization message transmission side the most as requested Formula is the authorization code key that dynamic key identification shares that code division pairing is answered；Produce dynamic authorization code, use authorization code double secret key to move The encryption of state authorization code produces dynamic authorization code ciphertext M.

Specifically, the dynamic authorization code that step S36 produces is used for the scope of authority in the current authorization requests of labelling and mandate Relation；The authorization code message length of dynamic authorization code is determined by the transfer mode of dynamic authorization code.The transmission side of dynamic authorization code Formula includes but not limited to note, Quick Response Code, Email, phone, video, QQ, wechat etc..As used note to be information transmission Mode, then use shorter key.As used the mode of Quick Response Code or Email, then can transmit longer information, can To use AES256 algorithm for encryption.Authorization code message is issued e-mail applications and is provided service end by step S39.It is embodied as Time, send authorization code message and provide service end to application, have the pact of service between service end owing to terminal client and application provide Fixed, it is advantageous to, application provides service end to be the more optimal way that authorization code ciphertext sends.

In embodiments of the present invention, use and share the authorization code key encryption authorization that code is the most corresponding with dynamic key identification Code so that authorize and only current dynamic key identification is shared device authorization corresponding to code effectively, thus prevent authorization code to be emitted Infringement.Equipment application relation authentication server is by authorization code ciphertext M, and dynamic key identification is shared code composition authorization code and disappeared Breath, is sent to application and provides server.

As it is shown in fig. 7, application provides service end sequentially to send dynamic authorization code and stochastic generation number to user terminal.Specifically Ground, application provides service end to send dynamic authorization code to user terminal.Application provides server answering according to present application mandate The authorization code transfer mode selected by account and contact method transmission authorization code ciphertext M are to user；Application provides server to answering Challenge random number N is sent for the current act of authorization of labelling by client.Step S311 input authorization code information, including but do not limit In screen UI input, the defeated scanning of photographic head, image recognition, copy stickup etc. from Mail Contents.Step S312 sends random raw Becoming number is that e-mail applications provides service end for managing the labelling of this sub-authorization, is also used for challenging client credentials simultaneously, Client credentials is i.e. authorization response voucher.E-mail applications client use step S313 and S314 obtain authorization response with Card.

As it is shown in fig. 7, user terminal is according to the dynamic authorization code inputted and the challenge generating random number band mandate received Authorization response message the transmission of response voucher provide service end to application, and authorization response message includes stochastic generation number and moves State authorization code ciphertext.Specifically, step S315 authorization response message is sent to e-mail applications and provides service end.Step S316 E-mail applications provides service end record flow state and forwards message；Step S317 forwards authorization response message to answer to equipment With relation service for checking credentials end.

Specifically, applications client according to receive authorization code ciphertext M, client use receive challenge random number N, the time Stamp, authorization code cipher-text information M and the first dynamic key identification are shared code and are constituted authorization response message body Q, call equipment application and close It it is client end AP I；Message body Q is calculated authorization response as parameter call safe unit and disappears by equipment application relation client Breath body voucher, using this authorization response message body voucher as authorizing corresponding voucher to return to answer by equipment application relation client Use client；Applications client uses the authorization response voucher composition authorization response message of message body Q and corresponding message body Q, will This message sends to application offer server；Application provides server inspection to adjust random number and forwards authorization response message the most afterwards To equipment application relation service for checking credentials end.

As it is shown in fig. 7, equipment application relation service for checking credentials end verifies authorization response message according to equipment secure registration relation After, then verify authorization code ciphertext and provide service end to confirm that result includes to user terminal feedback application by application: use and set Whether the authorized certificate in standby secure registration relation checking message mates；Then awarding of equipment secure registration relation service end is used Weighted code secret key decryption authorization code ciphertext, the authorization code that the authorization code after checking deciphering distributes with equipment application relation service for checking credentials end Whether mate；If all passing through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and the time of mandate Add in equipment list of application with device relationships.Specifically, step S318 equipment application relation service for checking credentials end first by The first dynamic device at equipment application relation service for checking credentials end that the first dynamic key identification in message shares code corresponding is tested Card shares code and the checking of the second dynamic device is shared code and verified whether the authorization response voucher in message mates；I.e. compare calculating institute The voucher of the message body Q sent in the voucher of the authorization response message body Q obtained and authorization response message body compares the most equal；As The most equal, then corresponding the moving of code is shared in dynamic authorization code whether with the first dynamic key identification of checking authorization code secret key decryption State authorization code is the most consistent；If all passing through coupling, by e-mail applications corresponding for this dynamic authorization code, ID, mandate Service operations and mandate time and device relationships add in safety equipment list of application.Step S319 equipment application relation is tested Card service end sends authorization notification message informing e-mail applications provides service end authorization flow to terminate.

Specifically, application provides server inspection dynamic key identification to record authorization flow after sharing code and challenge random number State, forwards authorization response message to equipment application relation authentication server.Equipment application relation authentication server is according to mandate In response message, the first dynamic key identification is shared code and is searched the first dynamic device checking and share code, and the second dynamic device checking is altogether Enjoy code and share code and authorization code key.Use the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage and calculated Authorized response message body voucher；The authorization response message body voucher sent in message and the authorization response calculating gained are disappeared Breath body voucher compares；Then continue checking authorization code as equal, otherwise stop licensing process.Equipment application relation authentication server makes By authorization code ciphertext M in corresponding authorization code secret key decryption message, with this with equipment application relation authentication server it is in plain text The authorization code of this sub-authorization distribution record in plain text compares, if unanimously, then this mandate project that authorization code is corresponding in plain text is just criticized Accurate and record and share in the equipment list item that code is corresponding in this first dynamic key identification；Send authorization notification message to answering simultaneously With providing server；If it is inconsistent, relevant failure information is included in authorization notification message notice application provide service Device.

Step S320 e-mail applications provides service end to forward the Email of authorization notification message informing user terminal Applications client.Equipment application relation client receives authorization notification message, after checking message body voucher passes through, terminates to authorize stream Journey.Step S321 equipment application relation client uses the checking of equipment the first dynamic device to share code and the checking of the second dynamic device Share code checking authorization notification message；Set successfully authorizing application message to be saved according to result e-mail applications client Standby application relation client；Application message e.g. email account, mail service business, mail service is authorized to describe information Deng.

Specifically, authorization notification message is made up of the challenge random number in authorization response message and judged result；Application carries According to the behavior of authorization notification message generation application correspondence and notify that result is to applications client for server；Equipment application relation Client receives authorization notification message, and application and account terminate with the licensing process of equipment secure registration relation.

As shown in Figure 8, the user terminal through facility registration and application and account authorization certification provides service end to application Initiate log on request and through equipment application relation service for checking credentials end perform safety certification detailed process be such that user end Hold and provide service end to send log on request message to application；Application provides service end to send to user terminal and requires that equipment application is tested Card message；User terminal provides service end to send equipment application access credentials message to application；Application provides service end to process also Equipment application access credentials message is sent to equipment application relation service for checking credentials end；Equipment application relation service for checking credentials end is according to answering With and account and equipment secure registration relation to equipment application access credentials information authentication, and provide service end transmission to set to application Standby application verification results messages；The application safety that application provides service end to include according to equipment application verification results messages accesses The log on request message of authentication result response user terminal.The safety certifying method provided by the embodiment of the present invention can be automatic Change execution application and account access request is verified with device relationships, save user and be manually entered the step of identifying code.Below with Corporate intranet code access security login authentication process is that the embodiment of the present invention is illustrated by preference.

As it is shown in figure 9, user terminal provides service end to send application log on request message to application.Applications client is initiated Access request provides server, application to provide server to judge to need equipment application relation certification, application to provide service to application Device sends to user terminal and requires equipment application verification message, and wherein message includes that Dialog processing ID verifies specifically for labelling Session.Specifically, such as, code access client initiates application login request message to code service end.

As it is shown in figure 9, application provides service end to send to user terminal requires equipment application verification message.Specifically, step Rapid S42 code service end sends and requires that the applications client of equipment application verification message calls user terminal performs equipment and tests safely Card.

As it is shown in figure 9, user terminal provides service end to send equipment application access credentials message to application.Specifically, step Rapid S43 calls equipment application relation client end AP I, calculates equipment application access credentials message body voucher；Step S44 uses independent The voucher that safe unit calculates returns to code access applications client by equipment application relation client；Step S45 code Access client sends equipment application access credentials message to code service end.

Specifically, applications client receives after requiring equipment application verification message, and client application calls equipment should By relation client end AP I, submit to and include that code, Dialog processing ID, timestamp, application name, application are shared in the first dynamic key identification Equipment application access credentials message body of the information such as service provider's information and user name, equipment application relation client is current request Generation equipment application access credentials message.Equipment application access credentials message by message body and encryption after equipment application access with Card message body voucher composition；Wherein message body include but not limited to Apply Names, application account, application side information, random number, Code is shared in timestamp, Dialog processing ID, the first dynamic key identification.Applications client calls equipment application relation client end AP I Calculating equipment application access credentials message body voucher；Safe unit returns voucher；Equipment application relation client will include equipment The equipment application access credentials message of application access credentials message body and equipment application access credentials message body voucher issues application Client；Applications client sends equipment application access credentials message and provides server to application.

Visit as it is shown in figure 9, application provides service end to process and sends equipment application to equipment application relation service for checking credentials end Ask credential message.Specifically, step S46 code service end authorization check is the response of current access request, checks Dialog processing ID is the most effective；This equipment application access credentials message is forwarded to the checking of equipment application relation after checking and takes by step S47 Business end.After application provides server to receive equipment application access credentials message, after checking that Dialog processing ID is effectively, message is sent To equipment application relation authentication server.

As it is shown in figure 9, equipment application relation service for checking credentials end according to application and account with equipment secure registration relation to setting Standby application access credentials information authentication, and provide service end to send equipment application verification results messages to application；Application provides clothes Business end logs according to the application of the application safety access registrar result response user terminal that equipment application verification results messages includes Request message.In step S48 equipment application relation service for checking credentials end use equipment application access credentials message first is the closeest Key identification is shared code and is searched corresponding first dynamic device checking at equipment application relation service for checking credentials end and share code and the Two dynamic device checkings are shared yardage and are calculated equipment application access credentials message body validating documents；Equipment application in checking message is visited Ask that credential message body voucher is the most consistent with the validating documents result calculated.If consistent, then continue checking for equipment list of application Whether include the account of request in message to authorize and authorization with code application, thus produce current application and the visit of account Ask whether from the judged result of the user terminal authorized.Equipment application verification results messages is sent to code clothes by step S49 Business end, code verification service end determines to authorize the service of current request according to the result of instruction in message.

Specifically, equipment application relation authentication server receives equipment application access credentials message, and use first is the closeest Key identification is shared code and is searched the first dynamic device checking in application relation authentication server and share code and the second dynamic device and test Card shares code.Use first dynamic device checking share code and the second dynamic device checking share yardage calculate equipment application access with The message body voucher of card message.Relatively calculate gained voucher the most consistent with the voucher sent in message.If result is consistent, then Check whether corresponding equipment has the mandate of application, account or behavior further, thus obtain checking result.Generation equipment Application verification results messages includes Dialog processing ID, judged result and result side information, sends this message and provides clothes to application Business device；Wherein message content includes but not limited to that the information enumerated, application provide server to disappear according to equipment application verification result Result and side information in breath determine the current service needing to provide accessed.

As shown in Figure 10, in embodiments of the present invention, in order to be further ensured that user terminal with application provide service end it Between the safety of communication, need to arrange life cycle to equipment secure registration relation, need further at life cycle to after date Update this equipment secure registration relation.Under specifically more new equipment secure registration relational process enters: user terminal closes with equipment application It is that service for checking credentials end consults the 3rd shared code of dynamic device checking and code is shared in the checking of the 4th dynamic device, is respectively stored in user Terminal and equipment application relation service for checking credentials end；Equipment application relation service for checking credentials end is according to equipment application relation service for checking credentials end The 3rd dynamic device checking share code and the checking of the 4th dynamic device is shared code and generated the second dynamic key identification and share code；If Standby application relation service for checking credentials end sends band the second dynamic key identification to user terminal and shares code and the first dynamic key identification Share the requirement renewal of the equipment message of code；User terminal according to user terminal first dynamic device checking share code, second move Code is shared in state device authentication, code is shared in the first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device is tested Card shares code and the second dynamic key identification is shared code and generated dynamic equipment upgrading message, and sends to the checking of equipment application relation Service end；Dynamic equipment upgrading message includes that code and second is shared in user terminal more new registration voucher, the first dynamic key identification Code is shared in dynamic key identification；Equipment application relation service for checking credentials end is dynamic according to the first of equipment application relation service for checking credentials end Code is shared in device authentication, code is shared in the second dynamic device checking, code is shared in the first dynamic key identification, the 3rd dynamic device checking Share code, code is shared in the 4th dynamic device checking and code checking dynamic equipment upgrading message is shared in the second dynamic key identification；If Standby application relation service for checking credentials end shares code, the 4th dynamic according to the 3rd dynamic device checking of equipment application relation service for checking credentials end Code is shared in state device authentication, code is shared in the second dynamic key identification, code is shared in the first dynamic device checking, the second dynamic device is tested Card shares code and the first dynamic key identification is shared code and generated renewal of the equipment confirmation message；Equipment application relation service for checking credentials end to User terminal feedback device updates accreditation verification result.

As shown in figure 11, in the embodiment of the present invention, the process sharing code renewal is sent out for maintainability and automatic system side The renewal risen, i.e. is initiated to update by equipment application relation service for checking credentials end: equipment application relation service for checking credentials end is each registration Code is shared in successful first dynamic device checking and the checking of the second dynamic device is shared code and set life cycle；When life cycle consumes Starting to the greatest extent the first dynamic device checking before and share code, code is shared in the second dynamic device checking and code is shared in dynamic key identification Renewal process；It is also preferred that the left initiate from equipment application relation service for checking credentials side to share the process of code renewal in order to ensure that system exists Detect attack, have the safety of stalwartness.

As shown in figure 11, user terminal and equipment application relation service for checking credentials end consult the 3rd shared code of dynamic device checking Share code with the 4th dynamic device checking, be respectively stored in user terminal and equipment application relation service for checking credentials end.Step S71 sets Standby application relation service for checking credentials end and equipment application relation client produce the 3rd dynamic device checking and share code；Step S72 is noted Volume the 3rd dynamic device checking shares code to individual secure unit；Identical with step S71, step S73 produces the 4th dynamic device Code is shared in checking；Registration the 4th dynamic device checking of step S74 shares code to individual secure unit.

As shown in figure 11, equipment application relation service for checking credentials end is dynamic according to the 3rd of equipment application relation service for checking credentials end Code is shared in device authentication and the shared code of the 4th dynamic device checking generates the second dynamic key identification and shares code.Specifically, step S75 equipment application relation service for checking credentials end uses the 3rd new dynamic device checking to share code and the checking of the 4th dynamic device is shared Yardage calculates the second dynamic key identification and shares code.

As shown in figure 11, equipment application relation service for checking credentials end sends to user terminal and carries the second dynamic key identification to share The requirement renewal of the equipment message of code.Specifically, step S76 equipment application relation service for checking credentials end use by service end random number U, Code is shared in first dynamic key identification, the message body of code composition requirement renewal of the equipment message is shared in the second dynamic key identification, uses Equipment application relation service for checking credentials end private key is the requirement renewal of the equipment of the signature composition of the message body of requirement renewal of the equipment message Message is sent to equipment application relation client.

Specifically, equipment application relation authentication server produces and requires renewal of the equipment message, at least includes that server is random Counting U, code is shared in current first dynamic key identification, and the message body of code composition is shared in the second dynamic key identification, and should with equipment With relation authentication server private key, the signature of message body is formed；Equipment application relation authentication server would be required to renewal of the equipment and disappears Breath is sent to equipment application relation client.

As shown in figure 11, user terminal shares code, the second dynamic device according to the first dynamic device checking of user terminal Code is shared in checking, code is shared in the first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking is shared Code and the second dynamic key identification are shared code and are generated dynamic equipment upgrading message, and send to the equipment application relation service for checking credentials End.Specifically, equipment application relation client uses preset equipment application relation service for checking credentials end public key verifications to require equipment The signature of more new information.Dynamic device is set up with new information: user terminal more new registration voucher by step S77 and step S78 Including dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher: dynamic equipment upgrading disappears Ceasing sub-message body voucher is that user terminal shares code according to the 3rd dynamic device checking of user terminal and the 4th dynamic device is tested It is calculated that card shares code；Dynamic equipment upgrading message main message body voucher is that user terminal moves according to the first of user terminal Code is shared in state device authentication and the shared code of the second dynamic device checking is calculated.Step S77 equipment application relation client Using, code, the second dynamic key knowledge are shared in service end random number U, timestamp, sub-message random number, the first dynamic key identification Do not share the code composition message body of dynamic equipment upgrading message.The 3rd dynamic device checking is used to share code and the 4th dynamic device Checking is shared yardage and is calculated dynamic equipment upgrading message sub-message body voucher.The sub-message body of step S78 dynamic equipment upgrading message, dynamic State renewal of the equipment message sub-message body voucher and the main message random number component devices main message body of more new information, use current first Code is shared in dynamic device checking and current second dynamic device checking is shared yardage and calculated renewal of the equipment message main message body voucher；Step Rapid S79 equipment application relation client produces dynamic equipment upgrading message, by the main message body of dynamic equipment upgrading message with dynamic Renewal of the equipment message main message body voucher composition dynamic equipment upgrading message, is sent to equipment application relation service for checking credentials end.

Specifically, equipment application relation client uses equipment application relation authentication server public key verifications to require equipment more The signature of new information；If by continuing following renewal process, otherwise abandoned.Equipment application relation client produces dynamic device With new information, server random number U, timestamp, sub-message random number, the first dynamic key identification is used to share code, second move The code composition message body of dynamic equipment upgrading message is shared in state key identification.The 3rd dynamic device checking is used to share code and the 4th Dynamic device checking is shared yardage and is calculated dynamic equipment upgrading message sub-message body voucher.By sub-for dynamic equipment upgrading message message Body, dynamic equipment upgrading message sub-message body voucher and the main message random number composition main message body of dynamic equipment upgrading message, make Share code with the first dynamic device checking and the checking of the second dynamic device is shared yardage and calculated the main message body of dynamic equipment upgrading message Voucher；Dynamic equipment upgrading is formed by the main message body of dynamic equipment upgrading message and dynamic equipment upgrading message main message body voucher Message, is sent to equipment application relation authentication server.

As shown in figure 11, equipment application relation service for checking credentials end is dynamic according to the first of equipment application relation service for checking credentials end Code is shared in device authentication, code is shared in the second dynamic device checking, code is shared in the first dynamic key identification, the 3rd dynamic device checking Share code, code is shared in the 4th dynamic device checking and code checking dynamic equipment upgrading message is shared in the second dynamic key identification.Step Rapid S710 uses the first dynamic key identification to share the first shared code of dynamic device checking corresponding to code and the second dynamic device is tested Card is shared yardage and is calculated dynamic equipment upgrading message main message body voucher, compares the most consistent with the corresponding voucher sent in message. Code and the 4th dynamic device are shared in the 3rd dynamic device checking that step S711 uses the second dynamic key identification to share code corresponding Checking is shared code checking and is calculated gained dynamic equipment upgrading message sub-message body voucher, if with the dynamic device comprised in message More new information message voucher is consistent.If unanimously continuing procedure below, otherwise abandon；This checking shows that sender of the message holds Code is shared in first dynamic key identification and code is shared in the second dynamic key identification.

Specifically, equipment application relation service for checking credentials end receives dynamic equipment upgrading message, uses current dynamic key Identify that current first dynamic device that shared code is corresponding verifies that shared code and current second dynamic device checking are shared yardage calculation and moved The message body voucher of state renewal of the equipment message, compares the most consistent with the dynamic equipment upgrading message main message body voucher sent； If unanimously continuing procedure below, otherwise abandon.Share code with the 3rd dynamic key identification and the 4th dynamic key identification is shared The dynamic equipment upgrading message sent in dynamic equipment upgrading message sub-message body voucher, with dynamic equipment upgrading message calculated by yardage If sub-message body voucher compares unanimously, the newest shared code succeeds in registration, and otherwise abandons.

Step S712 equipment application relation service for checking credentials end use random number, the second dynamic key identification share code, second Dynamic key identification is shared code character forming apparatus and is updated and confirm the sub-message body of message, uses the first dynamic device checking to share code and the Two dynamic device checkings are shared yardage and are calculated renewal of the equipment confirmation message sub-message body voucher.

Step S713 equipment application relation service for checking credentials end uses renewal of the equipment to confirm, and the sub-message body of message, renewal of the equipment are true Recognize message sub-message body voucher and the main random number component devices that disappears updates and confirms the main message body of message, use the 3rd dynamic device to test Card shares code and the checking of the 4th dynamic device is shared yardage calculation renewal of the equipment and confirmed main message body voucher.

As shown in figure 11, equipment application relation service for checking credentials end updates accreditation verification result bag to user terminal feedback device Include: equipment application relation service for checking credentials end updates to user terminal feedback device and confirms message；User terminal is according to user terminal The second dynamic key identification share code corresponding the 3rd dynamic device checking share code and the 4th dynamic device checking share code Calculate renewal of the equipment and confirm the main message body voucher of message, and it is corresponding to share code according to the first dynamic key identification of user terminal First dynamic device checking share code and the second dynamic device checking share yardage calculate renewal of the equipment confirm message sub-message Body voucher, by calculate live message body voucher and sub-message body voucher with in message transmission corresponding live message body voucher and son Message body voucher compares checking；As checking is all passed through, then the 3rd dynamic device checking of user terminal is shared code by user terminal, Code is shared in 4th dynamic device checking and the second corresponding dynamic key identification is shared code and is set as the state of succeeding in registration；User is eventually End preserves the second dynamic key identification and shares code；User terminal sends to equipment application relation service for checking credentials end and carries use user Code is shared in 3rd dynamic device checking of terminal and the facility registration voucher and second that code produces is shared in the checking of the 4th dynamic device Decoding apparatus more new registration message is shared in dynamic key identification；Equipment application relation service for checking credentials end is verified according to equipment application relation Code is shared in 3rd dynamic device checking of service end, code is shared in the 4th dynamic device checking and code is shared in the second dynamic key identification Checking renewal of the equipment registration message；Equipment application relation service for checking credentials end updates accreditation verification knot to user terminal feedback device Really.Specifically, step S714 produces renewal of the equipment and confirms message, uses the 3rd dynamic device checking to share yardage and calculate main during enforcement Message body and the checking of the 4th dynamic device are shared yardage and are calculated renewal of the equipment confirmation message main message body voucher, use renewal of the equipment true Recognize message main message body voucher and renewal of the equipment confirms that message main message body component devices updates and confirms message.

Specifically, equipment application relation authentication server produces renewal of the equipment confirmation message.Renewal of the equipment confirms that message makes Sharing code with sub-message random number, timestamp, the first dynamic key identification, the second dynamic key identification is shared code and is formed sub-message Body, uses the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage calculation renewal of the equipment and confirmed that message disappears Breath body voucher；Equipment application relation authentication server uses renewal of the equipment to confirm, and the sub-message body of message, renewal of the equipment confirm message Sub-message body voucher and the main random number component devices that disappears update and confirm the main message body of message, use the 3rd dynamic device checking to share Code and the checking of the 4th dynamic device are shared yardage calculation renewal of the equipment and are confirmed message main message body voucher.Renewal of the equipment is used to confirm to disappear Cease main message body and renewal of the equipment confirms that message main message body voucher collectively constitutes renewal of the equipment and confirms message.Application apparatus relation Authentication server sends renewal of the equipment and confirms that message is to equipment application relation client.

Step S714 application apparatus relation service for checking credentials end sends renewal of the equipment and confirms that message is to equipment application relation client End.In being embodied as, it is the most correct that equipment application relation client checks that code is shared in the second dynamic key identification；Use correspondence 3rd dynamic device checking share code and the 4th dynamic device checking share yardage calculate renewal of the equipment confirm the main message body of message with Card, confirms with renewal of the equipment that by it renewal of the equipment sent in message confirms that message main message body voucher compares；If it is consistent, then Continue follow-up flow process, otherwise abandon；Use the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage and calculated Renewal of the equipment confirms message sub-message body voucher, and itself and renewal of the equipment being confirmed, the renewal of the equipment sent in message confirms message Message body voucher compares；As twice judgement is all passed through, then the 3rd dynamic device checking is shared code by equipment application relation client Share code with the second dynamic device checking and be set as the state of succeeding in registration.

Step S715 equipment application relation client will share code, the 4th dynamic device checking with the 3rd dynamic device checking Share code and the second dynamic key identification is shared code and is updated to the checking identification of current shared code and key, produce renewal of the equipment registration Message.Equipment application relation client uses client random number, timestamp, the second dynamic key identification to share code, the 3rd move Code is shared in state device authentication and the checking of the 4th dynamic device is shared code generation renewal of the equipment registration message and is sent to equipment application pass It it is authentication server.

Second dynamic key identification is shared code and is updated to current key identification by step S716 equipment application relation client Share code and be saved in individual secure unit.Equipment application relation service for checking credentials end verifies flow process according to renewal of the equipment registration message After completing checking, code, the 4th dynamic device shared code of checking, second dynamic will be shared with the 3rd dynamic device checking in service end Key identification is shared code and is shared code as current first dynamic key identification, and code, second dynamic is shared in the first dynamic device checking Device authentication is shared code and is shared code for later checking.Step S717 equipment application relation service for checking credentials end sends equipment with newly End is to equipment application relation client.This message confirmation equipment application relation service for checking credentials end and equipment application relation visitor Family end is all switched to new shared code and originates as checking authority, and renewal process terminates.

Specifically, the second dynamic key identification that equipment application relation authentication server uses message to include is shared code and is looked into Look for correspondence the 3rd dynamic device checking share code and the 4th dynamic device checking share code, calculate message body voucher and by its with The equipment sent in message compares with new registration message body voucher, after being verified, the second dynamic key identification is shared code, right Code is shared in the 3rd dynamic device checking answered and the shared code of the 4th dynamic device checking is updated to current authentication and shares code；Transmission sets The standby end that updates is to equipment application relation client.Renewal of the equipment end includes that current first dynamic key identification is altogether Enjoy code, random number.Use the 3rd dynamic device checking to share code and the renewal of the equipment that yardage is calculated is shared in the checking of the 4th dynamic device The message body voucher of end.Equipment application relation client receives renewal of the equipment end, checks current key identification Share code, use the 3rd dynamic device checking to share code and the checking of the 4th dynamic device is shared yardage and calculated renewal of the equipment end Body voucher, compares with the voucher sent in message, after being verified, and equipment application relation authentication server and equipment application relation Client all completes to be switched to the 3rd dynamic device checking and shares code, and code and new second dynamic is shared in the 4th dynamic device checking Key identification is shared code and is originated as checking authority, and renewal process terminates.

As shown in Fig. 3, Figure 12, producing flow process for the various Service Ticket of client message in the embodiment of the present invention is so : the following generation process that message voucher in embodiments of the present invention is described as a example by a kind of message；Step S81 application client Code is shared in first dynamic key identification of end acquisition request current device.Step S82 equipment application relation client is moved first State key identification is shared code and is returned to applications client.Message body is such as included but not limited to be correlated with by step S83 applications client Apply Names or ID, ID or user name, the COS of access, Dialog processing ID, the side information that application is specified, challenge The message sequence of the composition such as random number submits to equipment application relation client, request to calculate message body voucher.Step S84 equipment should By relation client, message body is submitted to individual secure unit.Step S85 individual secure unit uses equipment application relation visitor The first dynamic device checking that family end is corresponding is shared yardage and is calculated message voucher.Step S86 individual secure unit uses corresponding the Two dynamic device checkings are shared yardage and are calculated voucher.Voucher is returned to equipment application relation client by step S87 individual secure unit End.Voucher is returned to applications client by step S88 equipment application relation client.

For embodying further the secure access authentication method that the embodiment of the present invention provides, superiority, the present invention is real Execute example also provide for a kind of should user terminal in aforementioned manners.As shown in figure 13, this terminal includes: facility registration confirmation unit, Equipment secure registration relation is set up for sending facility registration message to equipment application relation service for checking credentials end；Application license confirmation Unit, for sending authorization request message to equipment application relation service for checking credentials end, and sets up according to equipment secure registration relation Application and account and equipment secure registration relation；Safety certification request confirmation unit, for providing service end to setting by application Standby application relation service for checking credentials end sends equipment application access credentials message；Equipment application access credentials message is that application provides clothes The equipment application verification message that business end sends to log on request unit generates；Login unit, for providing service according to application The application of end logs in response message response application log on request message, application log in response message be application provide service end according to It is that equipment application relation service for checking credentials end generates after equipment application access credentials message authentication result.Real to the present invention below The secure access certification user terminal executing example and offer launches detailed description.The safety certification user that the embodiment of the present invention provides The operation principle of terminal is similar with above-mentioned safety certification with process, is referred to above-mentioned safety certifying method, the most no longer Repeat one by one.

As shown in figure 14, facility registration unit, including: code negotiation element is shared in the first dynamic device checking, is used for and sets Standby application relation service for checking credentials end consults the first shared code of dynamic device checking and the second dynamic device is verified and shared code, and respectively It is stored in user terminal and equipment application relation service for checking credentials end；Facility registration request unit, for generating and applying to equipment Relation service for checking credentials end sends the facility registration message of Portable device registration voucher；Facility registration message is according to being stored in user eventually Code is shared in first dynamic device checking of end and the checking of the second dynamic device shares what code generated, and the first dynamic key identification is shared Code is that equipment application relation service for checking credentials end shares code according to the first dynamic device checking of equipment application relation service for checking credentials end Share code with the second dynamic device checking and generate what rear line terminal sent；Facility registration confirmation unit, is used for receiving equipment The accreditation verification result verification of application relation service for checking credentials end also preserves, and accreditation verification result is the equipment application relation service for checking credentials Hold the first dynamic device checking according to equipment application relation service for checking credentials end share code, the second dynamic device shared code of checking and First dynamic key identification obtains after sharing code verification device registers message；It is institute that code is shared in described first dynamic key identification State the described first dynamic device checking according to described equipment application relation service for checking credentials end of the equipment application relation service for checking credentials end Share code and the checking of the second dynamic device shares what code generated.Facility registration message includes: facility registration voucher, hour of log-on, Device type and description and device location.

As shown in figure 15, apply granted unit, including；Application authorization requests unit, is used for generating and being provided by application Service end sends and sends authorization request message to equipment application relation service for checking credentials end；Application authorization response unit, is used for generating And provide service end to send to equipment application relation service for checking credentials end transmission authorization response message by application；Authorization response message Generate according to dynamic authorization code ciphertext and stochastic generation number, authorization response message band authorization response voucher；Dynamic authorization code Ciphertext is to provide service end to send by application after equipment application relation service for checking credentials end generates according to application authorization request message , stochastic generation number is that application provides service end to send after user terminal sends dynamic authorization code；Application license confirmation list Unit, for receiving the application license confirmation result verification of equipment application relation service for checking credentials end and preserving, accreditation verification result is Equipment application relation service for checking credentials end according to equipment application relation service for checking credentials end first dynamic device checking share code, second After code checking authorization response message is shared in the shared code of dynamic device checking and the first dynamic key identification, then verify authorization code ciphertext Obtain.

The log on request unit of secure access certification user terminal, also includes applying access credentials unit, sets for generation Standby application access credentials message body；Calculating equipment application access credentials message body voucher；Generation includes equipment application access credentials Message body and the equipment application access credentials message of equipment application access credentials message body voucher；Server is provided to send to application Equipment application access credentials message.

As shown in figure 16, have secure access to certification user terminal, also include, facility registration updating block, including: second is dynamic Code negotiation element is shared in device authentication, shares code for consulting the 3rd dynamic device checking with equipment application relation service for checking credentials end Share code with the 4th dynamic device checking, and be respectively stored in user terminal and equipment application relation service for checking credentials end；Equipment is more New registration request unit, for generating and sending the dynamic of Portable device more new registration voucher to equipment application relation service for checking credentials end State renewal of the equipment message；Dynamic equipment upgrading message is dynamically to set according to being stored according to user terminal the first of user terminal Code is shared in standby checking, the second dynamic device verifies that shared code, the first dynamic key identification share code, the 3rd dynamic device checking altogether Enjoy code, code is shared in the 4th dynamic device checking and the second dynamic key identification shares what code generated, and the second dynamic key identification is altogether Enjoying code is that equipment application relation service for checking credentials end is shared according to the 3rd dynamic device checking of equipment application relation service for checking credentials end Code and the checking of the 4th dynamic device are shared code and are generated what rear line terminal sent；Renewal of the equipment accreditation verification unit, is used for connecing The accreditation verification result verification of receiving unit application relation service for checking credentials end also preserves, and updating accreditation verification result is that equipment application is closed It is that service for checking credentials end shares code according to the first dynamic device checking of equipment application relation service for checking credentials end, the second dynamic device is tested Card shares code, code is shared in the first dynamic key identification, code is shared in the 3rd dynamic device checking, code is shared in the 4th dynamic device checking Obtain after sharing code checking dynamic equipment upgrading message with the second dynamic key identification.Wherein, user terminal more new registration with Demonstrate,prove and include dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher: dynamic equipment upgrading Message sub-message body voucher is that user terminal shares code and the 4th dynamic device according to the 3rd dynamic device checking of user terminal It is calculated that code is shared in checking；Dynamic equipment upgrading message main message body voucher is that user terminal is according to the first of user terminal Code is shared in dynamic device checking and the shared code of the second dynamic device checking is calculated.

For embodying the superiority of the secure access authentication method that the embodiment of the present invention provides further, the present invention implements Example also provide for a kind of should service end in aforementioned manners, as shown in figure 17, this equipment application relation service for checking credentials end, including: set Remarks volume confirmation unit, the facility registration message sent for accepting user terminal sets up equipment secure registration relation；Application is awarded Power confirmation unit, for receiving the authorization request message that user terminal sends, and sets up application according to equipment secure registration relation And account and equipment secure registration relation；Safety certification request confirmation unit, provides service end to send for receiving by application Equipment application verification request message；Equipment application access credentials message is that application provides service end to send to log on request unit Equipment application verification request message generate；Secure access authenticate-acknowledge unit, receives equipment application access credentials message The equipment application verification results messages generated after checking the application providing service end to send by application log in response message, use Family terminal provides the response results response that logs in of service end to process according to application.The embodiment of the present invention provide application and account with The operation principle that equipment secure registration relation checking application service end accesses is similar with above-mentioned safety certification with process, permissible With reference to above-mentioned safety certifying method, repeat the most one by one.

As shown in figure 18, facility registration confirmation unit includes: first dynamic device checking share code negotiation element, for User terminal is consulted the first dynamic device checking and is shared code and the shared code of the second dynamic device checking, and is respectively stored in user eventually End and equipment application relation service for checking credentials end；Share code for described first dynamic device checking and the checking of the second dynamic device is shared Code registration ID is shared in the described first dynamic device checking that code division pairing is answered and code registration ID is shared in the checking of the second dynamic device；The Code signal generating unit is shared in one dynamic key identification, for the first dynamic device checking according to equipment application relation service for checking credentials end Share code and the shared code of the second dynamic device checking generates and sends the first dynamic key identification to user terminal and shares code.Equipment Accreditation verification unit, for receiving facility registration message that user terminal sends according to the of equipment application relation service for checking credentials end Code is shared in one dynamic device checking, code is shared in the second dynamic device checking and code checking equipment note is shared in the first dynamic key identification After volume message, and send facility registration confirmation result to user terminal；Facility registration message is according to being stored in user terminal Code is shared in first dynamic device checking and the checking of the second dynamic device shares what code generated, and facility registration message Portable device is registered Code registration ID is shared in voucher and described first dynamic device checking and code registration ID is shared in the checking of the second dynamic device.

As shown in figure 19, application license confirmation unit includes；Application authorization requests processing unit, is used for receiving user terminal Send authorization request message and according to application authorization request message generate dynamic authorization code ciphertext by application provide service end Send to user terminal；Application authorization response processing unit, receives the authorization response message that user terminal sends, and according to equipment It is the closeest that code, the second shared code of dynamic device checking and first are shared in first dynamic device checking of application relation service for checking credentials end After code checking authorization response message is shared in key identification, then after verifying dynamic authorization code ciphertext, generate authorization notification message and also pass through Application provides service end to send to user terminal；Authorization response message is that user terminal is according to dynamic authorization code ciphertext and random life Becoming number to generate, authorization response message band authorization response voucher, stochastic generation number is that application provides service end to send out to user terminal Send after sending dynamic authorization code ciphertext.Specifically, equipment application relation service for checking credentials end is raw according to application authorization request message Dynamic authorization code is become to include: to generate dynamic authorization code according to authorization request message；Dynamic authorization is generated according to authorization request message Key；Use dynamic authorization code encryption described in described dynamic authorization double secret key；Dynamic authorization code ciphertext is sent to applying offer Service end.Generate authorization notification message to include: use whether the authorized certificate in equipment secure registration relation checking message mates； Then use the authorization code ciphertext of authorization code secret key decryption corresponding to equipment secure registration relation, the authorization code after checking deciphering with Whether the authorization code of described equipment application relation service for checking credentials end distribution mates；If all passing through coupling, this authorization code is corresponding Application, ID, the service operations of mandate and mandate time add in equipment list of application with device relationships.

Equipment application relation service for checking credentials end also described in log in response unit and also include, log on request authentication unit is used In, use the first dynamic key identification to share code in application relation authentication server, search the first shared code of dynamic device checking Code is shared with the second dynamic device checking；Use the first dynamic device checking to share code and yardage is shared in the checking of the second dynamic device The message body voucher of calculation equipment application access credentials message；Whether the voucher that sends in gained voucher and message is calculated for comparing Unanimously；If result is consistent, then check whether corresponding application and account and equipment secure registration relation have message further The application of middle request and the mandate relation of account, thus obtain checking result.

As shown in figure 20, equipment application relation service for checking credentials end also includes, facility registration updates confirmation unit: second is dynamic Code negotiation element is shared in device authentication, shares code and the 4th dynamic device for consulting the 3rd dynamic device checking with user terminal Code is shared in checking, and is respectively stored in user terminal and equipment application relation service for checking credentials end；Second dynamic key identification is shared Code signal generating unit, shares code and the 4th for the 3rd dynamic device checking according to equipment application relation service for checking credentials end and dynamically sets The shared code of standby checking generates and sends the second dynamic key identification to user terminal shares code.Renewal of the equipment registration request confirmation form Unit, for receiving dynamic device that user terminal sends with new information, and according to the first of equipment application relation service for checking credentials end Code is shared in dynamic device checking, code is shared in the second dynamic device checking, code, the 3rd dynamic device are shared in the first dynamic key identification Code is shared in checking, code is shared in the 4th dynamic device checking and code checking dynamic equipment upgrading message is shared in the second dynamic key identification After obtain renewal of the equipment confirm message, and to user terminal send；Dynamic equipment upgrading message is according to being stored in user terminal According to user terminal first dynamic device checking share code, second dynamic device checking share code, first dynamic key know Do not share code, code is shared in the 3rd dynamic device checking, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared Code generates；Dynamic equipment upgrading message Portable device more new registration voucher.Wherein, user terminal more new registration voucher includes moving State renewal of the equipment message main message body voucher and dynamic equipment upgrading message sub-message body voucher: dynamic equipment upgrading message disappears Breath body voucher is that user terminal shares code according to the 3rd dynamic device checking of user terminal and the checking of the 4th dynamic device is shared Code is calculated；Dynamic equipment upgrading message main message body voucher is the user terminal the first dynamic device according to user terminal Code is shared in checking and the shared code of the second dynamic device checking is calculated.

In force, when the present invention is embodied as, possesses equipment secure registration relation capacity extension ability；The present invention implements Example is based on code is shared in the first dynamic device checking, and the method being shared code enhancing by the second dynamic device checking realizes testing Card, analogy, can extend and use same method to produce the 5th shared code of dynamic device checking, the technology of whole invention and process The lifting of equipment control number is obtained in the case of constant；When being embodied as, it is possible to use the 5th dynamic device shares code to by Code is shared in one dynamic device checking and the side that the voucher that code is cipher key calculation generation is encrypted again is shared in the checking of the second dynamic device Method extends；First dynamic key identification is shared the corresponding first dynamic device checking of code and is shared code, and the second dynamic device checking is shared Code is shared in code and the checking of the 5th dynamic device.Above-described embodiment is only share code and second with the first dynamic device checking to move State device authentication is shared code and has been done the illustration of correspondence as the presently preferred embodiments, it should be understood that this law invention not only limits In this, other embodiments utilizing dynamic device checking to share code checking can also realize the present invention.The most such as, one is moved Code is shared in state device authentication, code or five dynamic device shared codes of checking etc. are shared in three dynamic device checkings.Specific embodiment party Case is essentially identical with above-described embodiment, is referred to the above embodiments and does corresponding adaptive change, does not remakes at this Repeat one by one.

During enforcement, do not enable the second dynamic device checking and share code, and remaining technology, method, system and equipment are constant In the case of the embodiment of the present invention still can dispose, can obtain automatically, safety and do not increase end in accessing proof procedure The method and system of end subscriber operation complexity.In like manner in the case of increasing by the 5th shared code of dynamic device checking, its effect Code is shared with the second dynamic device checking consistent with method.

When being embodied as, in the case of not enabling the second shared code function of dynamic device checking, anti-violence attacks threat Ability can decline, such as the threat of birthday attack；The most single key length scope limits management equipment application relation number clients The upper limit, it is possible to the number of devices of management greatly reduces, but for the enterprise-specific scene of some, such as client device Few scene is enough；

When being embodied as, in the case of not using the second dynamic device checking to share code, the conversion caused during enforcement is such as Under: in the embodiment of the present invention, the first dynamic key identification is shared the most corresponding first dynamic device checking of code and is shared code；By using the One dynamic authentication shares code and the second dynamic authentication share yardage calculate and checking message body voucher to be transformed to only carry out first dynamic Device authentication is shared the calculating of code-phase pass and compares；Dynamic device application relation client and equipment application relation authentication server Do not manage and distribute and share, with the second dynamic device checking, resource and the data that code-phase is closed.

In sum, the embodiment of the present invention provides secure access authentication method, user terminal and service end are passed through The mode of the double authentication that device authentication and application authorize can be effectively ensured the application of user terminal and access application service end Information Security.Prevent assailant from passing through by dynamic device access credentials technology in the case of user account and password are stolen Third party's unauthorized device accesses service or the intrusion behavior of application account-related information.The present invention is by the stream of lasting automatization Journey produces dynamic device voucher, encrypts and verifies that saving each user applies account access to be manually entered secondary user's identifying code Step.The present invention prevents man-in-the-middle attack by doubled sign mechanism thus ensures to share the end-to-end security of code.The present invention is led to Cross dynamic device checking and share the raising violence attack of ink recorder system and antibiosis day attacking ability；Mandate intelligent movable equipment of the present invention Other equipment of mandate after code verification mode prevents authority checking code stolen are shared based on dynamic device checking by checking；The present invention Also providing for a kind of safety, quick and automatic key updating mode reaches the system of low cost and threatens reply cost and safeguard into This；The present invention provides the mode of a kind of extended authentication client key, realizes difficulty not increasing AES and does not affect execution Achieve extension in the case of efficiency, make the client device that can manage be greatly increased, solve versatility problem.The present invention Described method is passed through authorizing access authentication mechanism on the computer intelligence equipment accessed by application account, stolen at password After, third party device can not access owing to being not authorized to, system and account-holder due to can very first time perception close Code is revealed and remedies security breaches in time.

Can help enterprise by the present invention, the professional application network management of mechanism is initiated the border that application accesses, and is set Standby.User can by the way of above-mentioned authorisation device application relation.The present invention is suitable for Self-Service pattern, is suitable for changeable, spirit The public user demand lived.Corporate intranet can configure in the way of taking operation department orally to use affiliated enterprise of automatization automatically should With and device relationships, thus save the process of the self-service mandate of each employee, thus realize enterprise IT access end equipment border control.

Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program Product.Therefore, the reality in terms of the application can use complete hardware embodiment, complete software implementation or combine software and hardware Execute the form of example.And, the application can use at one or more computers wherein including computer usable program code The upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) The form of product.

The application is with reference to method, equipment (system) and the flow process of computer program according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.

These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function specified in multiple square frames.

These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one The step of the function specified in individual square frame or multiple square frame.

It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that Including process, method, article or the equipment of described key element there is also other identical element.Term " on ", D score etc. refers to The orientation shown or position relationship, for based on orientation shown in the drawings or position relationship, are for only for ease of the description present invention and simplification Describe rather than indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and behaviour Make, be therefore not considered as limiting the invention.Unless otherwise clearly defined and limited, term " install ", " being connected ", " connect " and should be interpreted broadly, connect for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected；Can be It is mechanically connected, it is also possible to be electrical connection；Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two The connection of element internal.For the ordinary skill in the art, can understand that above-mentioned term is at this as the case may be Concrete meaning in invention.

In the description of the present invention, illustrate a large amount of detail.Although it is understood that, embodiments of the invention can To put into practice in the case of there is no these details.In some instances, it is not shown specifically known method, structure and skill Art, in order to do not obscure the understanding of this description.Similarly, it will be appreciated that disclose to simplify the present invention and help to understand respectively One or more in individual inventive aspect, above in the description of the exemplary embodiment of the present invention, each of the present invention is special Levy and be sometimes grouped together in single embodiment, figure or descriptions thereof.But, should be by the method solution of the disclosure Release in reflecting an intention that i.e. the present invention for required protection requires than the feature being expressly recited in each claim more Many features.More precisely, as the following claims reflect, inventive aspect is less than single reality disclosed above Execute all features of example.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, The most each claim itself is as the independent embodiment of the present invention.It should be noted that in the case of not conflicting, this Embodiment in application and the feature in embodiment can be mutually combined.The invention is not limited in any single aspect, also It is not limited to any single embodiment, is also not limited to these aspects and/or the combination in any of embodiment and/or displacement.And And, can be used alone each aspect of the present invention and/or embodiment or with other aspects one or more and/or its implement Example is used in combination.

Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit；To the greatest extent The present invention has been described in detail by pipe with reference to foregoing embodiments, it will be understood by those within the art that: it depends on So the technical scheme described in foregoing embodiments can be modified, or the most some or all of technical characteristic is entered Row equivalent；And these amendments or replacement, do not make the essence of appropriate technical solution depart from various embodiments of the present invention technology The scope of scheme, it all should be contained in the middle of the claim of the present invention and the scope of description.

Claims

1. a secure access authentication method, it is characterised in that including:

Described application provides service end to process and sends the application of described equipment to described equipment application relation service for checking credentials end and accesses Credential message；

Application provides service end according to the application log on request message of described application safety access registrar result response user terminal.

Secure access authentication method the most according to claim 1, it is characterised in that described user terminal should to equipment Set up equipment secure registration relation by relation service for checking credentials end transmission facility registration message to include；

Described user terminal and described equipment application relation service for checking credentials end are consulted the first dynamic device checking and are shared code and second Code is shared in dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end；Described equipment should It is the first shared code of dynamic device checking that described first dynamic device checking shares that code division pairing is answered with relation service for checking credentials end Registration ID, code registration ID is shared in the second dynamic device checking answered for described second dynamic device checking shared code division pairing；

Described equipment application relation service for checking credentials end dynamically sets according to described the first of described equipment application relation service for checking credentials end Code is shared in standby checking and the shared code of the second dynamic device checking generates the first dynamic key identification and shares code；

Described equipment application relation service for checking credentials end sends the described first dynamic device checking of band to described user terminal and shares code Registration ID and the checking of the second dynamic device are shared the dynamic device of code registration ID and are shared code checking message；Wherein, dynamic device is common Enjoy code checking message to include: dynamic device shares code checking message sub-message body voucher, dynamic device shares code checking message label Name；

Described user terminal shares code according to the described first dynamic device checking of described user terminal and the second dynamic device is tested Card is shared code checking dynamic device and is shared code checking message sub-message body voucher, uses described equipment application relation authentication server Dynamic device described in public key verifications shares code checking information signature, generates facility registration voucher after being verified；

Described user terminal sends to described equipment application relation service for checking credentials end and carries described facility registration voucher, and described first Code registration ID and the facility registration message of the second dynamic device checking shared code registration ID are shared in dynamic device checking；

Described equipment application relation service for checking credentials end is according to the described first dynamic device checking in described facility registration message altogether Enjoy code registration ID and the second dynamic device checking share code registration ID corresponding described in equipment application relation service for checking credentials end Code is shared in first dynamic device checking, described second dynamic device checking is shared code and verified described facility registration message；

After described facility registration information authentication passes through, described equipment application relation service for checking credentials end carries to user terminal feedback and sets Standby accreditation verification result and described first dynamic key identification are shared the facility registration of code and are confirmed message.

Secure access authentication method the most according to claim 2, it is characterised in that described facility registration message bag Include: code registration ID shared by facility registration voucher, the first dynamic device checking, the second dynamic device checking is shared in code registration ID One or more.

Secure access authentication method the most according to claim 2, it is characterised in that described dynamic device is shared code and tested Card message includes:

Described dynamic device is shared the code checking main message body of message and is included that dynamic device is shared the code checking sub-message body of message and moves State collaborative share code checking message sub-message body voucher；

Described sub-message body includes that code registration ID is shared in the first dynamic device checking and code registration is shared in the checking of the second dynamic device ID and random number salt figure；

It is that code and described is shared in described first dynamic device checking that described dynamic device shares code checking message sub-message body voucher Second dynamic device checking shares what code produced；

It is that described equipment application relation authentication server uses private key to dynamic that described dynamic device shares code checking information signature State collaborative share code checking message main message body signature obtains.

Secure access authentication method the most according to claim 1, it is characterised in that to described in described user terminal Equipment application relation service for checking credentials end sends authorization request message, and sets up application and account according to described equipment secure registration relation Family includes with equipment secure registration relation:

It is concurrent that described equipment application relation service for checking credentials end generates dynamic authorization code ciphertext according to described application authorization request message Deliver to described application and service end is provided；

Described application provides service end sequentially to send described dynamic authorization code ciphertext and stochastic generation number to described user terminal；

The authorization response that described user terminal generates band authorized certificate according to described dynamic authorization code and described stochastic generation number disappears Ceasing and send and provide service end to described application, described authorization messages includes that described stochastic generation number and dynamic authorization code are close Literary composition；

The authorization response message that described application provides service end to receive described user terminal processes, and the extremely described equipment that sends is applied Relation service for checking credentials end；

After described equipment application relation service for checking credentials end verifies described authorization response message according to described equipment secure registration relation, Verify described dynamic authorization code ciphertext again and provide service end to confirm result to user terminal feedback application by described application.

Secure access authentication method the most according to claim 5, it is characterised in that described equipment application relation is verified Service end generates dynamic authorization code ciphertext according to described application authorization request message and includes:

By include described dynamic authorization code ciphertext and the first dynamic key identification share code authorization code message send to the most described should With providing service end.

Secure access authentication method the most according to claim 5, it is characterised in that described equipment application relation is verified After service end verifies described authorization response message according to described equipment secure registration relation, then verify authorization code ciphertext and pass through institute Stating application provides service end to confirm that result includes to user terminal feedback application:

Whether the authorized certificate in use equipment secure registration relation checking message mates；Then equipment secure registration relation is used The authorization code secret key decryption authorization code ciphertext of service end, the authorization code after checking deciphering and the described equipment application relation service for checking credentials Whether the authorization code of end distribution mates；

If all passing through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and the time of mandate and equipment Relation is added in equipment list of application.

Secure access authentication method the most according to claim 1, it is characterised in that also include updating described equipment peace Entirely register relation:

Described user terminal and described equipment application relation service for checking credentials end are consulted the 3rd dynamic device checking and are shared code and the 4th Code is shared in dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end；

Described equipment application relation service for checking credentials end dynamically sets according to the described 3rd of described equipment application relation service for checking credentials end the Code is shared in standby checking and the shared code of the 4th dynamic device checking generates the second dynamic key identification and shares code；

Described equipment application relation service for checking credentials end sends to described user terminal and carries described second dynamic key identification to share code With the requirement renewal of the equipment message that code is shared in the first dynamic key identification；

Described user terminal shares code, the second dynamic device checking according to the described first dynamic device checking of described user terminal Share code, code is shared in described first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking is shared Code and the second dynamic key identification are shared code and are generated dynamic equipment upgrading message, and send to described equipment application relation checking clothes Business end；Described dynamic equipment upgrading message includes that code is shared in user terminal more new registration voucher, described first dynamic key identification Code is shared with described second dynamic key identification；

Described equipment application relation service for checking credentials end is tested according to the first dynamic device of described equipment application relation service for checking credentials end Card shares code, code is shared in the second dynamic device checking, code is shared in described first dynamic key identification, the 3rd dynamic device is verified altogether Enjoy code, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified described dynamic equipment upgrading message；

Described equipment application relation service for checking credentials end is tested according to the 3rd dynamic device of described equipment application relation service for checking credentials end Card shares code, code is shared in the 4th dynamic device checking, code is shared in the second dynamic key identification, the first dynamic device checking is shared Code, the second dynamic device checking share code and described first dynamic key identification is shared code and generated renewal of the equipment confirmation message；

Secure access authentication method the most according to claim 8, it is characterised in that described equipment application relation is verified Service end updates accreditation verification result to user terminal feedback device and includes:

The 3rd dynamic device that described user terminal shares code corresponding according to the second dynamic key identification of described user terminal is tested Demonstrate,prove and share code and the main message body voucher of the 4th dynamic device checking shared yardage calculation described renewal of the equipment confirmation message, and according to The first shared code and second of dynamic device checking that first dynamic key identification of described user terminal shares code corresponding dynamically sets Standby checking is shared yardage and is calculated the sub-message body voucher of described renewal of the equipment confirmation message, main message body voucher calculating arrived and son Message body voucher compares checking with the corresponding main message body voucher and the sub-message body voucher that send in message；

As checking is all passed through, the 3rd dynamic device checking of described user terminal is shared code by the most described user terminal, and the 4th moves Code is shared in state device authentication and corresponding described second dynamic key identification is shared code and is set as the state of succeeding in registration；

Described user terminal sends to described equipment application relation service for checking credentials end to carry and uses the 3rd of described user terminal to move Code is shared in state device authentication and facility registration voucher and described second dynamic key that code produces is shared in the checking of the 4th dynamic device Identify the renewal of the equipment registration message sharing code；

Described equipment application relation service for checking credentials end is tested according to the 3rd dynamic device of described equipment application relation service for checking credentials end Card shares code, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified that described renewal of the equipment registration disappears Breath；

Secure access authentication method the most according to claim 8, it is characterised in that described user terminal updates note Volume voucher includes described dynamic equipment upgrading message main message body voucher and described dynamic equipment upgrading message sub-message body voucher:

Described dynamic equipment upgrading message sub-message body voucher is that described user terminal is according to the described 3rd of described user terminal Code is shared in dynamic device checking and the shared code of the 4th dynamic device checking is calculated；

Described dynamic equipment upgrading message main message body voucher is that described user terminal is according to described the first of described user terminal Code is shared in dynamic device checking and the shared code of the second dynamic device checking is calculated.

11. secure access authentication methods according to claim 1, it is characterised in that described require equipment application test Card message carries Dialog processing ID.

12. secure access authentication methods according to claim 1, it is characterised in that described user terminal is to described Application provides service end transmission equipment application access credentials message to include:

Produce equipment application access credentials message body including described Dialog processing ID；Calculate corresponding with described Dialog processing ID Equipment application access credentials message body voucher；

Generate and include that the equipment application of equipment application access credentials message body and equipment application access credentials message body voucher accesses Credential message；

13. secure access authentication methods according to claim 1, it is characterised in that described equipment application relation is tested Card service end according to described application and account with equipment secure registration relation to described equipment application access credentials information authentication:

Use the first dynamic key identification share code application relation authentication server in search first dynamic device checking share Code is shared in code and the checking of the second dynamic device；

Use the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage calculation equipment application access credentials and disappeared The message body voucher of breath；

Relatively calculate gained voucher the most consistent with the voucher sent in message；If result is consistent, check correspondence the most further Application and account and equipment secure registration relation whether there is application and the mandate relation of account of request in message, thus To checking result.

14. 1 kinds of secure access certification user terminals, it is characterised in that including:

Facility registration unit, sets up equipment secure registration for sending facility registration message to equipment application relation service for checking credentials end Relation；

Application granted unit, for sending authorization request message to described equipment application relation service for checking credentials end, and according to described Equipment secure registration relation sets up application and account and equipment secure registration relation；

Safety certification request unit, sets for providing service end to send to described equipment application relation service for checking credentials end by application Standby application verification asks message；Described equipment application access credentials message is that application provides service end to described log on request unit The requirement equipment application verification message sent generates；

Login unit, for according to described application provide service end log in response results response log on request message, described in step on Land response results is that application provides service end according to application described in described equipment application relation service for checking credentials end and account and equipment Secure registration relation is to generation after described equipment application access credentials information authentication.

15. secure access certification user terminals according to claim 14, it is characterised in that facility registration unit, including:

Code negotiation element is shared in first dynamic device checking, for described equipment application relation service for checking credentials end negotiation generation the Code is shared in one dynamic device checking and code is shared in the checking of the second dynamic device, and be respectively stored in user terminal and described equipment should With relation service for checking credentials end；

Facility registration request unit, for generate and to described equipment application relation service for checking credentials end send Portable device register with The facility registration message of card；Described facility registration message includes: code registration ID and second dynamic is shared in the first dynamic device checking Code registration ID is shared in device authentication；

It is described that code registration ID and described second dynamic device checking shared code registration ID is shared in described first dynamic device checking Equipment application relation service for checking credentials end is that code is shared in described first dynamic device checking and code division is shared in the checking of the second dynamic device The corresponding registration ID joined sends to described user terminal after generating；

Described facility registration message be according to described in be stored in the described first dynamic device checking of user terminal and share code and the Code is shared in two dynamic device checkings, and described first dynamic device checking shared code registration ID and the checking of the second dynamic device are altogether Enjoy what code registration ID generated；

Facility registration confirmation unit, shares for receiving the first dynamic key identification of described equipment application relation service for checking credentials end Code and accreditation verification result verification preserving, described accreditation verification result is that described equipment application relation service for checking credentials end is according to institute Code is shared in the first dynamic device checking stating equipment application relation service for checking credentials end, the second dynamic device checking is shared code and shared code Obtain after verifying described facility registration message；

It is that described equipment application relation service for checking credentials end closes according to the application of described equipment that code is shared in described first dynamic key identification It is the described first shared code of dynamic device checking and the second dynamic device checking shared code generation of service for checking credentials end.

16. secure access certification user terminals according to claim 15, it is characterised in that described facility registration message bag Include: code registration ID shared by facility registration voucher, the first dynamic device checking, code registration ID is shared in the second dynamic device checking.

17. secure access certification user terminals according to claim 14, it is characterised in that described application granted unit, Including；

Application authorization requests unit, is used for generating and providing service end to send by described application testing to described equipment application relation Card service end sends authorization request message；

Application authorization response unit, is used for generating and providing service end to send by described application testing to described equipment application relation Card service end sends authorization response message；Described authorization response message is to generate according to dynamic authorization code ciphertext and stochastic generation number , described authorization response message band authorized certificate；Described dynamic authorization code ciphertext is described equipment application relation service for checking credentials end Thering is provided service end to send by described application after generating according to described application authorization request message, described stochastic generation number is institute Stating application provides service end to send after described user terminal sends described dynamic authorization code；

Application license confirmation unit, for receiving the application license confirmation result verification of described equipment application relation service for checking credentials end And preserve, described license confirmation result is that described equipment application relation service for checking credentials end is according to described equipment application relation checking clothes Code is shared in first dynamic device checking of business end, code is shared in the second dynamic device checking and the first dynamic key identification is shared code and tested After demonstrate,proving described authorization response message, then verify what authorization code ciphertext obtained.

18. secure access certification user terminals according to claim 14, it is characterised in that described log on request unit, Also include applying access credentials unit for producing equipment application access credentials message body；Calculating equipment application access credentials message Body voucher；Generate and include that the equipment application of equipment application access credentials message body and equipment application access credentials message body voucher is visited Ask credential message；Server is provided to send equipment application access credentials message to application.

19. secure access certification user terminals according to claim 14, it is characterised in that also including, facility registration is more New unit, including:

Code negotiation element is shared in second dynamic device checking, for described equipment application relation service for checking credentials end negotiation generation the Codes are shared in three dynamic devices checkings and code is shared in the checking of the 4th dynamic device, and be respectively stored in user terminal and described equipment should With relation service for checking credentials end；

Renewal of the equipment registration request unit, for generating and sending Portable device more to described equipment application relation service for checking credentials end The dynamic equipment upgrading message of new voucher；Described dynamic equipment upgrading message be according to described in be stored in user terminal according to institute Code is shared in the described first dynamic device checking stating user terminal, code is shared in the second dynamic device checking, described first the closeest Code is shared in key identification, code is shared in the 3rd dynamic device checking, code and the second dynamic key identification are shared in the 4th dynamic device checking Share what code generated, described second dynamic key identification share code be described equipment application relation service for checking credentials end according to described in set Code is shared in the described 3rd dynamic device checking of standby application relation service for checking credentials end and the checking of the 4th dynamic device is shared code and generated Send to described user terminal afterwards；

Renewal of the equipment accreditation verification unit, for receiving the accreditation verification result verification of described equipment application relation service for checking credentials end And preserve, described renewal accreditation verification result is that described equipment application relation service for checking credentials end is tested according to described equipment application relation Code is shared in first dynamic device checking of card service end, code, described first dynamic key identification are shared in the second dynamic device checking Share code, code is shared in the second dynamic device checking, code is shared in the 3rd dynamic device checking and code is shared in the 4th dynamic key identification Obtain after verifying described dynamic equipment upgrading message.

20. secure access certification user terminals according to claim 16, it is characterised in that described user terminal updates note Volume voucher includes dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher:

User terminal described in described dynamic equipment upgrading message main message body voucher moves according to described the first of described user terminal Code is shared in state device authentication and the shared code of the second dynamic device checking is calculated.

21. 1 kinds of equipment application relation service for checking credentials ends, it is characterised in that including:

Facility registration confirmation unit, the facility registration message sent for accepting user terminal sets up equipment secure registration relation；

Application license confirmation unit, for receiving the authorization request message that user terminal sends, and notes safely according to described equipment Volume relation sets up application and account and equipment secure registration relation；

Safety certification request confirmation unit, disappears for receiving the equipment application access credentials providing service end to send by application Breath；Described equipment application access credentials message is that the requirement equipment that application provides service end to send to described log on request unit is answered With checking message generation；

Log in response unit, for according to described application and account and equipment secure registration relation the application of described equipment accessed with Generate application safety access registrar result after card information authentication and log in response results by applying offer service end to send, described User terminal provides the response results that logs in of service end to respond log on request message according to described application.

22. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that described facility registration confirms Unit includes:

Code negotiation element is shared in first dynamic device checking, consults the first dynamic device checking for producing with described user terminal Share code and code is shared in the checking of the second dynamic device, and be respectively stored in user terminal and the described equipment application relation service for checking credentials End；Share code for described first dynamic device checking and that the checking of the second dynamic device shares that code division pairing answers is described first dynamic Code registration ID is shared in device authentication and code registration ID is shared in the checking of the second dynamic device；

Code signal generating unit is shared in first dynamic key identification, for described the according to described equipment application relation service for checking credentials end Code is shared in one dynamic device checking and the checking of the second dynamic device is shared code and generated and to send first to described user terminal dynamic Code is shared in key identification；

Facility registration confirmation unit, the facility registration message sent for receiving described user terminal is closed according to the application of described equipment It is the first shared code of dynamic device checking of service for checking credentials end, the second shared code of dynamic device checking and the first dynamic key identification After sharing the code described facility registration message of checking, and send facility registration confirmation result to described user terminal；Described equipment is noted Volume message is that code and the checking of the second dynamic device are shared in the described first dynamic device checking being stored in user terminal described in basis Share code and code registration ID is shared in described first dynamic device checking and the checking of the second dynamic device is shared code registration ID and generated , code registration ID and second is shared in described facility registration message Portable device registration voucher and described first dynamic device checking Code registration ID is shared in dynamic device checking.

23. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that application license confirmation unit Including；

Application authorization requests processing unit, for receiving the authorization request message of user terminal transmission and according to described application mandate Request message generates dynamic authorization code ciphertext provides service end to send to described user terminal by described application；

Application authorization response processing unit, receives the authorization response message that user terminal sends, and closes according to the application of described equipment It is the first shared code of dynamic device checking of service for checking credentials end, the second shared code of dynamic device checking and the first dynamic key identification Share code to verify after described authorization response message, then after verifying dynamic authorization code ciphertext, generate authorization notification message and by answering Send to described user terminal with providing service end；Described authorization response message is that described user terminal is according to described dynamic authorization Code ciphertext and stochastic generation number generate, and described authorization response message band authorized certificate, described stochastic generation number is described application Service end is provided to send after described user terminal sends dynamic authorization code ciphertext.

24. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that described equipment application relation Service for checking credentials end generates dynamic authorization code according to described application authorization request message and includes:

25. equipment application relation service for checking credentials ends according to claim 24, it is characterised in that described generation authorization notification Message includes:

Whether the authorized certificate in use equipment secure registration relation checking message mates；Then equipment secure registration relation is used The authorization code ciphertext of corresponding authorization code secret key decryption, the authorization code after checking deciphering and the described equipment application relation service for checking credentials Whether the authorization code of end distribution mates；

If all passing through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and the time of mandate with equipment Relation is added in equipment list of application.

26. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that described in log in response unit Also including, log on request authentication unit is used for,

If result is consistent, then check whether corresponding application and account and equipment secure registration relation have in message further The application of request and the mandate relation of account, thus obtain checking result.

27. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that also include, facility registration Renewal confirmation unit:

Code negotiation element is shared in second dynamic device checking, for consulting the 3rd dynamic device checking altogether with the described user terminal that sets Enjoy code and code is shared in the checking of the 4th dynamic device, and be respectively stored in user terminal and the described equipment application relation service for checking credentials End；

Code signal generating unit is shared in second dynamic key identification, for described the according to described equipment application relation service for checking credentials end Codes are shared in three dynamic devices checkings and the checking of the 4th dynamic device is shared code and generated and to send second to described user terminal dynamic Code is shared in key identification.

Renewal of the equipment registration request confirmation unit, for receiving the dynamic equipment upgrading message that user terminal sends, and according to institute Code is shared in the first dynamic device checking stating equipment application relation service for checking credentials end, code, described is shared in the second dynamic device checking Code is shared in first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking is shared code and second and moved State key identification is shared and is obtained updating registration confirmation message after code verifies described dynamic equipment upgrading message, and to described user eventually End sends；Described dynamic equipment upgrading message be according to described in be stored according to described user terminal described the of user terminal Code is shared in one dynamic device checking, the second dynamic device checking is shared code, described first dynamic key identification and shared code, the 3rd moves Code is shared in state device authentication, code is shared in the 4th dynamic device checking and the second dynamic key identification shares what code generated；Dynamically set Standby more new information Portable device more new registration voucher.

28. equipment application relation service for checking credentials ends according to claim 27, it is characterised in that described family terminal updates note Volume voucher includes dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher: